Malware Analysis Report

2025-03-14 22:54

Sample ID 240406-1qywpacg27
Target e35df7736356ada613212717f5b34719_JaffaCakes118
SHA256 6b009d49678942a408d61070626d5c8203c1036767f1e1a34ac942556cee2489
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6b009d49678942a408d61070626d5c8203c1036767f1e1a34ac942556cee2489

Threat Level: Likely malicious

The file e35df7736356ada613212717f5b34719_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1928 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1984 wrote to memory of 1928 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1984 wrote to memory of 1928 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1984 wrote to memory of 1928 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0ACE2217-46A7-4381-A67A-421A73D6AEBD} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1640-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1640-1-0x0000000000440000-0x000000000049B000-memory.dmp

memory/1640-7-0x0000000000400000-0x0000000000435000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 885c9d8656b2275b148c9a44415d54f7
SHA1 a1208a96467d531ad95118a6e68b47ca69e93c80
SHA256 d20b4086c80167f9af73aa0fdfe48605ff771a995ae5c235cf7b2da296805308
SHA512 fc4d578dad5ac5af04c05ae00c05299ba6b11ee244c89939967f116ab35256e5a38af367e6bb761e9f001d4040d35cf20e6be538e569f8751a826156ad29c308

memory/1928-10-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1928-11-0x0000000000350000-0x00000000003AB000-memory.dmp

memory/1928-17-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\qhdqeom.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ijdurdi.dll C:\PROGRA~3\Mozilla\qhdqeom.exe N/A
File created C:\PROGRA~3\Mozilla\qhdqeom.exe C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35df7736356ada613212717f5b34719_JaffaCakes118.exe"

C:\PROGRA~3\Mozilla\qhdqeom.exe

C:\PROGRA~3\Mozilla\qhdqeom.exe -tgbfvga

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4652-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4652-1-0x00000000020E0000-0x000000000213B000-memory.dmp

memory/2472-9-0x0000000000400000-0x0000000000435000-memory.dmp

C:\PROGRA~3\Mozilla\qhdqeom.exe

MD5 15c32d29f46fa81176dc2ad01f66979d
SHA1 7cb8af20dba8c4fb6b5abf3609e58249b54faf94
SHA256 b2bcb64bd58ad61ff1969cd415255abd2d7b5ceed79b72a70419e0b93706dc58
SHA512 38a57830b4ed4621a788a3829480a3fd418bc1878995459b2820b65cd2611fb82cb549e14570728bd8f9cd90ac9532a8198e22657c8d0c0c2cf97d60676afb89

memory/4652-10-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2472-11-0x0000000000B70000-0x0000000000BCB000-memory.dmp

memory/2472-17-0x0000000000400000-0x0000000000435000-memory.dmp