Malware Analysis Report

2025-03-14 22:32

Sample ID 240406-145ldsce5y
Target e3674b36739713a51de142c301de6b27_JaffaCakes118
SHA256 c6de8054497b05b86feed7026c3b656b234f76e0d41841c25170c2124bd42f28
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c6de8054497b05b86feed7026c3b656b234f76e0d41841c25170c2124bd42f28

Threat Level: Shows suspicious behavior

The file e3674b36739713a51de142c301de6b27_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:13

Reported

2024-04-06 22:15

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:13

Reported

2024-04-06 22:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Amoqya.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\DD1APJEZAI = "C:\\Windows\\Amoqya.exe" C:\Windows\Amoqya.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Amoqya.exe C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Amoqya.exe C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Amoqya.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Amoqya.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"

C:\Windows\Amoqya.exe

C:\Windows\Amoqya.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 clicksor.com udp
US 8.8.8.8:53 walmart.com udp

Files

memory/2732-1-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2732-0-0x0000000000230000-0x0000000000246000-memory.dmp

C:\Windows\Amoqya.exe

MD5 e3674b36739713a51de142c301de6b27
SHA1 7afe5512bba38caef89d2b1dea7cfd627f81c87a
SHA256 c6de8054497b05b86feed7026c3b656b234f76e0d41841c25170c2124bd42f28
SHA512 d16e614d2fde4cdc120dd70bcc35363ebb14aac177aeaeaa825814a775c96045c18b1c6ff08f378bd941ce976b370b3aac132a4254b1ed20639e3023272735f9

memory/2520-10-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

MD5 ddb0ebb5e402faf9b6055fb99b245d43
SHA1 e7e67dd94b12133ae558a46a45f1055d3c6d5187
SHA256 c329bd4c2ef6ed3f6b85fee10fc7403e4242e8e274a3f0fee928c58362574af4
SHA512 6b1245341666b81c8f59edf9207e7f6aec4a94535d25d21d5856839c02b127a37ef38b0ad93111284d3486bd90609c261f054cae9f52be58d8c8e74f1b18fd69

memory/2732-7319-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2520-19217-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2732-24648-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2520-36312-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2520-43292-0x0000000000400000-0x000000000043C000-memory.dmp