Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1q6arscg35
Target e35e216d338c6e80a1590460e9e92bff_JaffaCakes118
SHA256 26fcbcdeba9fd5c23d4b30c40d180ac18c4f3d080527ffe50d298287db006875
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

26fcbcdeba9fd5c23d4b30c40d180ac18c4f3d080527ffe50d298287db006875

Threat Level: Likely malicious

The file e35e216d338c6e80a1590460e9e92bff_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:52

Reported

2024-04-06 21:54

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\dplaysvr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\dplaysvr.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dplaysvr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Users\Admin\AppData\Local\dplaysvr.exe

"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 190.9.35.199:80 tcp
US 190.9.35.199:80 tcp

Files

memory/2320-0-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2320-4-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\935A.tmp

MD5 cbe53ba57c3c6a8d15601bae42952a8d
SHA1 918f846e807a40efa0e9b28b059ea41a9e9af0e8
SHA256 793c278612c1c1bc39b9bb516c86729e137702da72dc0915a0eadbef068af0b6
SHA512 e009ee796f3ba83b617d6037551b34cce48deef363bdb9fe8b0926f3f84d3003f3b5fa055dc0733b2cb9f595b42337e308d953004abc776f00a568e7874ad5fe

C:\Windows\System32\drivers\etc\hosts

MD5 b8dc34273f4a5febd78da41013fa38ea
SHA1 d154c933e978a974bb26ef3f34310251e379bf17
SHA256 69a9b750833e23b6fe85db441f896707c251f70b76cae72aba866f27a376aeb3
SHA512 f4be940791a955fed2ce956c4fb45731c36cbd3d4f6b877585cced5dac1506e2be18f3a6047437d56328c6fbb2f3b536a07683c2058e316f27b36b567f93f87c

C:\Users\Admin\AppData\Local\dplayx.dll

MD5 a5b875a13d1c309f1d8403b7d661349e
SHA1 1fcef7b2cb19b6eccba4aec688e8ea12ee2517ee
SHA256 561714ea2b49577f67d1cbc3f235b39b21d8a4bd8bfadc48d8ab06f49e69c991
SHA512 fd6f7329c85693b7dac02fee818206c3c7edce3c3876c9073b5432d137181e9347e9f505cceceeee59aa8600a1051a5627526d2a2708654b217c75744080974d

memory/2488-21-0x00000000003B0000-0x00000000003C8000-memory.dmp

memory/2488-22-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2488-24-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2488-26-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2488-27-0x0000000000420000-0x0000000000444000-memory.dmp

memory/2488-29-0x0000000001BE0000-0x0000000001C04000-memory.dmp

memory/2488-28-0x0000000001BE0000-0x0000000001C04000-memory.dmp

memory/2488-32-0x00000000779FF000-0x0000000077A00000-memory.dmp

memory/2488-31-0x0000000077A00000-0x0000000077A01000-memory.dmp

memory/2488-35-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2320-34-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2488-33-0x0000000001C60000-0x0000000001C61000-memory.dmp

memory/2488-30-0x0000000076770000-0x0000000076880000-memory.dmp

memory/2488-36-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2488-37-0x0000000001BE0000-0x0000000001C04000-memory.dmp

memory/2320-38-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:52

Reported

2024-04-06 21:54

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\dplaysvr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\dplaysvr.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Users\Admin\AppData\Local\dplaysvr.exe

"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\e35e216d338c6e80a1590460e9e92bff_JaffaCakes118.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 228

Network

Country Destination Domain Proto
US 190.9.35.199:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2532-0-0x00000000021B0000-0x00000000021E4000-memory.dmp

memory/2532-4-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4045.tmp

MD5 cbe53ba57c3c6a8d15601bae42952a8d
SHA1 918f846e807a40efa0e9b28b059ea41a9e9af0e8
SHA256 793c278612c1c1bc39b9bb516c86729e137702da72dc0915a0eadbef068af0b6
SHA512 e009ee796f3ba83b617d6037551b34cce48deef363bdb9fe8b0926f3f84d3003f3b5fa055dc0733b2cb9f595b42337e308d953004abc776f00a568e7874ad5fe

C:\Users\Admin\AppData\Local\Temp\4046.tmp

MD5 a5b875a13d1c309f1d8403b7d661349e
SHA1 1fcef7b2cb19b6eccba4aec688e8ea12ee2517ee
SHA256 561714ea2b49577f67d1cbc3f235b39b21d8a4bd8bfadc48d8ab06f49e69c991
SHA512 fd6f7329c85693b7dac02fee818206c3c7edce3c3876c9073b5432d137181e9347e9f505cceceeee59aa8600a1051a5627526d2a2708654b217c75744080974d

C:\Users\Admin\AppData\Local\Temp\4048.tmp

MD5 b8dc34273f4a5febd78da41013fa38ea
SHA1 d154c933e978a974bb26ef3f34310251e379bf17
SHA256 69a9b750833e23b6fe85db441f896707c251f70b76cae72aba866f27a376aeb3
SHA512 f4be940791a955fed2ce956c4fb45731c36cbd3d4f6b877585cced5dac1506e2be18f3a6047437d56328c6fbb2f3b536a07683c2058e316f27b36b567f93f87c

memory/2532-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2532-22-0x0000000000400000-0x0000000000434000-memory.dmp