Malware Analysis Report

2024-11-15 08:30

Sample ID 240404-bzdvfaah9x
Target ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118
SHA256 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353

Threat Level: Likely malicious

The file ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 01:34

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 01:34

Reported

2024-04-04 01:37

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uranigger.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\uranigger.exe

"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 432

Network

N/A

Files

memory/2180-0-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2180-1-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2180-2-0x0000000002700000-0x0000000002740000-memory.dmp

\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2180-9-0x00000000721C0000-0x00000000727C8000-memory.dmp

memory/2180-10-0x00000000721C0000-0x00000000727C8000-memory.dmp

memory/2180-11-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

memory/2180-12-0x00000000721C0000-0x00000000727C8000-memory.dmp

memory/2180-13-0x0000000073EA0000-0x0000000073EFB000-memory.dmp

\Users\Admin\AppData\Local\Temp\uranigger.exe

MD5 10b558706690282a3807ccce1b334e14
SHA1 49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e
SHA256 87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9
SHA512 4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295

memory/2696-24-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2696-25-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2696-26-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2180-27-0x00000000721C0000-0x00000000727C8000-memory.dmp

memory/2180-28-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2516-30-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2696-31-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2696-32-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2516-33-0x0000000000510000-0x0000000000511000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 01:34

Reported

2024-04-04 01:37

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uranigger.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\uranigger.exe

"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 185.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 14.34.115.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 225.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/3236-0-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3236-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3236-2-0x0000000001480000-0x0000000001490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/3236-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp

memory/3236-11-0x00000000777E4000-0x00000000777E6000-memory.dmp

memory/3236-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp

memory/3236-13-0x0000000072DF0000-0x00000000733F8000-memory.dmp

memory/3236-14-0x0000000073BE0000-0x0000000073C3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uranigger.exe

MD5 10b558706690282a3807ccce1b334e14
SHA1 49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e
SHA256 87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9
SHA512 4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295

memory/3096-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3096-29-0x00000000019E0000-0x00000000019F0000-memory.dmp

memory/3236-30-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3096-31-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3236-27-0x0000000072DF0000-0x00000000733F8000-memory.dmp

memory/3096-38-0x0000000074EC0000-0x0000000075471000-memory.dmp