Malware Analysis Report

2025-03-14 22:55

Sample ID 240406-1qvh9sca6y
Target e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118
SHA256 862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03

Threat Level: Known bad

The file e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies firewall policy service

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win7-20240221-en

Max time kernel

131s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\klass.exe = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe:*:Enabled:Windows Update" C:\Program Files (x86)\Common Files\System\klass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\System\klass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe" C:\Program Files (x86)\Common Files\System\klass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\klass.exe C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\klass.exe C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Program Files (x86)\Common Files\System\klass.exe N/A
File created C:\Program Files (x86)\Common Files\System\klass.exe C:\Program Files (x86)\Common Files\System\klass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\klass.exe C:\Program Files (x86)\Common Files\System\klass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\System\klass.exe

"C:\Program Files (x86)\Common Files\System\klass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 irc.rootattack.com udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 8.8.8.8:53 irc.rootattack.com udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 44.221.239.236:6667 irc.rootattack.com tcp

Files

memory/2724-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files (x86)\Common Files\System\klass.exe

MD5 e35d9f2e62b6b44088ee17fa229d1517
SHA1 805701b71187565c0a9a73fcbf892ab1ff0049e4
SHA256 862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03
SHA512 296edb3b164259344585fa55434847268fa86c9fc02fec09ef1a4ea9fe058847242eca38820e627785a933c6b68bbe3ada5ee75e9be76dba95e40aafb3e27ae6

memory/2724-9-0x00000000005B0000-0x00000000005CD000-memory.dmp

memory/2724-12-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Program Files (x86)\Common Files\System\klass.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Program Files (x86)\Common Files\System\klass.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\klass.exe = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe:*:Enabled:Windows Update" C:\Program Files (x86)\Common Files\System\klass.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Program Files (x86)\Common Files\System\klass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\System\klass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe" C:\Program Files (x86)\Common Files\System\klass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\klass.exe C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\klass.exe C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Program Files (x86)\Common Files\System\klass.exe N/A
File created C:\Program Files (x86)\Common Files\System\klass.exe C:\Program Files (x86)\Common Files\System\klass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\klass.exe C:\Program Files (x86)\Common Files\System\klass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"

C:\Program Files (x86)\Common Files\System\klass.exe

"C:\Program Files (x86)\Common Files\System\klass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 irc.rootattack.com udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 irc.rootattack.com udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.239.236:6667 irc.rootattack.com tcp
US 44.221.239.236:6667 irc.rootattack.com tcp

Files

memory/3388-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files (x86)\Common Files\System\klass.exe

MD5 e35d9f2e62b6b44088ee17fa229d1517
SHA1 805701b71187565c0a9a73fcbf892ab1ff0049e4
SHA256 862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03
SHA512 296edb3b164259344585fa55434847268fa86c9fc02fec09ef1a4ea9fe058847242eca38820e627785a933c6b68bbe3ada5ee75e9be76dba95e40aafb3e27ae6

memory/3388-6-0x0000000000400000-0x000000000041D000-memory.dmp