Malware Analysis Report

2025-04-03 10:26

Sample ID 250305-v5dleavnw4
Target JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676
SHA256 4dde47ad729e17327906605b20359031be76f032585bf7a67622e7229d5c8a68
Tags
latentbot modiloader defense_evasion discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dde47ad729e17327906605b20359031be76f032585bf7a67622e7229d5c8a68

Threat Level: Known bad

The file JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676 was found to be: Known bad.

Malicious Activity Summary

latentbot modiloader defense_evasion discovery persistence trojan upx

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

LatentBot

Latentbot family

UAC bypass

ModiLoader Second Stage

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 17:34

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 17:34

Reported

2025-03-05 17:36

Platform

win10v2004-20250217-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp
US 8.8.8.8:53 ragnarokmetal.zapto.org udp

Files

memory/876-0-0x0000000000400000-0x0000000000450000-memory.dmp

memory/876-1-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

MD5 67587e25a971a141628d7f07bd40ffa0
SHA1 76fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256 e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA512 6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

C:\Users\Admin\AppData\Local\Temp\cmsetac.dll

MD5 5916979db28b2291a0de89fa2ea1c4ef
SHA1 89b50c7c64294cc18d058d7d82e43f293c96911c
SHA256 c4546d55d0635d5e110f7674ba986d47082ec8352a4a1da4fb5724accc49b71b
SHA512 8f485f3da27655a248fbe2667859130448461725af5ea679a5e85f13fe83652e6f0a3f92321b0b714e9b75d5f050f45800f88b7f198455c1ea523d17fc17946d

memory/876-12-0x00000000029E0000-0x00000000029EE000-memory.dmp

memory/876-15-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/876-16-0x0000000000400000-0x0000000000450000-memory.dmp

memory/876-18-0x00000000029E0000-0x00000000029EE000-memory.dmp

memory/876-17-0x0000000002440000-0x0000000002448000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 17:34

Reported

2025-03-05 17:36

Platform

win7-20241010-en

Max time kernel

143s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ragnarokmetal.zapto.org udp

Files

memory/2148-0-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2148-1-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2148-2-0x0000000000550000-0x0000000000551000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

MD5 67587e25a971a141628d7f07bd40ffa0
SHA1 76fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256 e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA512 6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

\Users\Admin\AppData\Local\Temp\cmsetac.dll

MD5 5916979db28b2291a0de89fa2ea1c4ef
SHA1 89b50c7c64294cc18d058d7d82e43f293c96911c
SHA256 c4546d55d0635d5e110f7674ba986d47082ec8352a4a1da4fb5724accc49b71b
SHA512 8f485f3da27655a248fbe2667859130448461725af5ea679a5e85f13fe83652e6f0a3f92321b0b714e9b75d5f050f45800f88b7f198455c1ea523d17fc17946d

memory/2148-8-0x00000000027E0000-0x00000000027EE000-memory.dmp

memory/2148-10-0x0000000076B00000-0x0000000076B01000-memory.dmp

memory/2148-11-0x0000000076AF0000-0x0000000076BE0000-memory.dmp

memory/2148-12-0x0000000076AF0000-0x0000000076BE0000-memory.dmp

memory/2148-13-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2148-14-0x00000000027E0000-0x00000000027EE000-memory.dmp

memory/2148-15-0x0000000076AF0000-0x0000000076BE0000-memory.dmp