Malware Analysis Report

2025-03-14 22:19

Sample ID 240407-29a5eahf38
Target e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118
SHA256 9baa1dec3c980f5ddba9cf9f48a72a1016531228a2f8c715eb2dcfc54104ed80
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9baa1dec3c980f5ddba9cf9f48a72a1016531228a2f8c715eb2dcfc54104ed80

Threat Level: Shows suspicious behavior

The file e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Gathers network information

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1340 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1340 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1340 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1340 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1340 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1340 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1340 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1340 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2624 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2624 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2624 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2624 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 1340 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 1340 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 1340 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp

Files

\??\c:\windows\temp\flash.log

MD5 2548fcfc2e8a54f21938360d4b69af04
SHA1 eb4db1a15da41c482a637f99c4730874b96261a4
SHA256 596ed42c94ae4f91cdff9bb75a97ea9db31075d55c0a4aba7018d71ffc5d7057
SHA512 91e29cd394b1534dc4bad93db2016e8fbddf90c17d3edcf23f927ee6c1c8b35450356d097af956aadd5a9a366b772235e320a728844db955340bd46a31c3b663

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4968 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4968 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4968 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4968 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4968 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4968 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4968 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4968 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2324 wrote to memory of 5056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2324 wrote to memory of 5056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2324 wrote to memory of 5056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4968 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4968 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4968 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6167dfeb7003d3c1d970cb1978fd6e4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.kvic.jp udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

\??\c:\windows\temp\flash.log

MD5 af254f9420d992dd02628d4e55c20ac6
SHA1 5be44ef5d8644901220003866e4a7b29ec17339d
SHA256 5f46cfa0862be45ef33be69aae25021302ccd890cc200905be768a17384b138d
SHA512 c56376baab3abad82dec89bc6f1daf12034b511d3942bae03202cfc5be46b0bb49ad258179634e5eea0988aae824f90d59723f5b51835804ed16069d37c36bf1