Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-1ywfjada47
Target e36328f61748402ddf28874b7417a8e3_JaffaCakes118
SHA256 68a7259f14fe26de60e76bc5613f80a7d9ead414fabb10407f44ce3d4aacd779
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68a7259f14fe26de60e76bc5613f80a7d9ead414fabb10407f44ce3d4aacd779

Threat Level: Known bad

The file e36328f61748402ddf28874b7417a8e3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:04

Reported

2024-04-06 22:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bgrlsmn = "{A4FC1DC2-5665-4018-B8B3-6C40FD5C1C99}" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4FC1DC2-5665-4018-B8B3-6C40FD5C1C99} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4FC1DC2-5665-4018-B8B3-6C40FD5C1C99}\InProcServer32\ = "C:\\Windows\\bgrlsmn.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4FC1DC2-5665-4018-B8B3-6C40FD5C1C99}\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:04

Reported

2024-04-06 22:06

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bgrlsmn = "{0F4DD0FC-D2BB-4B69-962F-4DCB931134CC}" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F4DD0FC-D2BB-4B69-962F-4DCB931134CC}\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F4DD0FC-D2BB-4B69-962F-4DCB931134CC} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F4DD0FC-D2BB-4B69-962F-4DCB931134CC}\InProcServer32\ = "C:\\Windows\\bgrlsmn.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36328f61748402ddf28874b7417a8e3_JaffaCakes118.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

N/A