Malware Analysis Report

2024-11-15 08:31

Sample ID 240404-3tjbhseg27
Target c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118
SHA256 f16acceaef0ae8c24d8ed49928a0eab7b63bbfd11e13749d2b43321bd3c4f7cd
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f16acceaef0ae8c24d8ed49928a0eab7b63bbfd11e13749d2b43321bd3c4f7cd

Threat Level: Likely malicious

The file c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 23:48

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 23:48

Reported

2024-04-04 23:50

Platform

win7-20231129-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 zerobytez.xyz udp

Files

memory/2848-0-0x0000000001140000-0x0000000001C28000-memory.dmp

memory/2848-1-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/2848-2-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-3-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/2848-4-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-5-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-7-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-10-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-12-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-13-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-14-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-17-0x0000000077790000-0x0000000077792000-memory.dmp

memory/2848-16-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-18-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-15-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-19-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-20-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2848-21-0x0000000001140000-0x0000000001C28000-memory.dmp

memory/2848-22-0x0000000001140000-0x0000000001C28000-memory.dmp

memory/2848-23-0x0000000005560000-0x00000000055A0000-memory.dmp

memory/2848-24-0x0000000005AE0000-0x0000000005D1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\ba012cba-2679-4da3-a26b-788d51617354\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/2848-31-0x00000000745A0000-0x0000000074620000-memory.dmp

memory/2848-32-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-33-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-35-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-37-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-39-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-41-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-43-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-45-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-47-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-49-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-51-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-53-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-57-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-59-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-55-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-63-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-61-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-65-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-67-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-71-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-73-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-75-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-69-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-77-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-81-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-79-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-83-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-85-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-87-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-89-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-93-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-91-0x0000000005AE0000-0x0000000005D15000-memory.dmp

memory/2848-3597-0x0000000001140000-0x0000000001C28000-memory.dmp

memory/2848-3598-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/2848-4310-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4311-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4313-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4315-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4317-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4319-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4321-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4323-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-4325-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-5800-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2848-13921-0x0000000005560000-0x00000000055A0000-memory.dmp

memory/2848-13922-0x0000000005560000-0x00000000055A0000-memory.dmp

memory/2848-13925-0x0000000075260000-0x0000000075370000-memory.dmp

memory/2848-13926-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/2848-13927-0x0000000001140000-0x0000000001C28000-memory.dmp

memory/2848-13928-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2848-13929-0x0000000005560000-0x00000000055A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 23:48

Reported

2024-04-04 23:50

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c507dec437e09f01e4cf70dd85d478b1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 225.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 zerobytez.xyz udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/2312-0-0x0000000000C50000-0x0000000001738000-memory.dmp

memory/2312-1-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-3-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-2-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-4-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-5-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-6-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-7-0x00000000778D4000-0x00000000778D6000-memory.dmp

memory/2312-11-0x0000000000C50000-0x0000000001738000-memory.dmp

memory/2312-12-0x0000000000C50000-0x0000000001738000-memory.dmp

memory/2312-13-0x0000000006C30000-0x00000000071D4000-memory.dmp

memory/2312-14-0x0000000006390000-0x0000000006422000-memory.dmp

memory/2312-15-0x0000000006350000-0x000000000635A000-memory.dmp

memory/2312-16-0x0000000006780000-0x00000000069BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba012cba-2679-4da3-a26b-788d51617354\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/2312-24-0x00000000737D0000-0x0000000073859000-memory.dmp

memory/2312-26-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-25-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-28-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-30-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-32-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-34-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-36-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-38-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-40-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-42-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-44-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-46-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-48-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-50-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-52-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-54-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-56-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-58-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-62-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-64-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-60-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-66-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-74-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-76-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-78-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-72-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-70-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-68-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-82-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-84-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-86-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-80-0x0000000006780000-0x00000000069B5000-memory.dmp

memory/2312-2431-0x0000000000C50000-0x0000000001738000-memory.dmp

memory/2312-2800-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-2802-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-3161-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-3159-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-3523-0x0000000076870000-0x0000000076960000-memory.dmp

memory/2312-13908-0x0000000006670000-0x0000000006680000-memory.dmp

memory/2312-13909-0x0000000009EC0000-0x0000000009ED2000-memory.dmp

memory/2312-13910-0x000000000A820000-0x000000000A8BC000-memory.dmp

memory/2312-13911-0x000000000A6B0000-0x000000000A6CA000-memory.dmp

memory/2312-13912-0x000000000AC20000-0x000000000ACCA000-memory.dmp

memory/2312-13916-0x0000000000C50000-0x0000000001738000-memory.dmp

memory/2312-13917-0x0000000076870000-0x0000000076960000-memory.dmp