Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r1195adb64
Target e2c334e419f98a1217912316e0c797a7_JaffaCakes118
SHA256 1d9c7a3f4db08b60d9995027535db917e83f51c2e4f56d5fc862456a314203f6
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1d9c7a3f4db08b60d9995027535db917e83f51c2e4f56d5fc862456a314203f6

Threat Level: Shows suspicious behavior

The file e2c334e419f98a1217912316e0c797a7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:40

Reported

2024-04-06 14:42

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AD Network = "\"C:\\Users\\Admin\\AppData\\Local\\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\\.exe\" ?" C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe N/A

Checks installed software on the system

discovery

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe

>

Network

Country Destination Domain Proto
ES 91.199.230.27:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/808-0-0x0000000000400000-0x0000000000450000-memory.dmp

memory/808-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/808-3-0x00000000007A0000-0x00000000008A0000-memory.dmp

C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe

MD5 ca9a0a2b5f9b7b83a5541bdedfc5a1bc
SHA1 fc93722e8a764312e2f06f41717eaaba80dfb4a0
SHA256 3c69b52540ea6cd00df2f5350b4e389de3014c4418d78b73e310aa40924655a8
SHA512 1f901383e0e90d68c4464d34564dc034040aaa011e88ec0cb37dce34655a3824bb5613201f84b98e6de1c1440c3285f5ece1d6394396ac4a516d3325e63fe15b

memory/808-13-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4788-15-0x0000000020300000-0x0000000020313200-memory.dmp

memory/4788-16-0x00000000007F0000-0x00000000008F0000-memory.dmp

C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.cfg

MD5 20165a79bcccf30bbef992c7820b2829
SHA1 00445acf5c6cc679e76d47b519132cb9485fd445
SHA256 7104e9fd4c65275f9e5c9557188f11f56faf9e9e54543a4c8e42284830a3bc6a
SHA512 eb968a59eb2fe7440596e8d57fb64b79b8ae2ddc79f8812200248653165d3b1285ffcd5d0381fd0980fecad9b76ccea613c515dfb1f1e15d850d6e3eacb0052f

memory/4788-19-0x0000000020300000-0x0000000020313200-memory.dmp

memory/4788-20-0x00000000007F0000-0x00000000008F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:40

Reported

2024-04-06 14:42

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"

Network

N/A

Files

memory/360-0-0x0000000000400000-0x0000000000450000-memory.dmp

memory/360-6-0x0000000000400000-0x0000000000450000-memory.dmp

memory/360-7-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/360-8-0x0000000000400000-0x0000000000450000-memory.dmp

memory/360-10-0x00000000006D0000-0x00000000007D0000-memory.dmp