Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-3ayxvshe6w
Target e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118
SHA256 e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab

Threat Level: Likely malicious

The file e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies AppInit DLL entries

UPX packed file

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:19

Reported

2024-04-07 23:21

Platform

win7-20240215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\lenyunsk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lenyuns.dll C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lenyunsk.exe C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lenyunsk.exe C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"

C:\Windows\SysWOW64\lenyunsk.exe

C:\Windows\system32\lenyunsk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat

Network

N/A

Files

memory/1804-0-0x0000000000400000-0x0000000000410000-memory.dmp

\Windows\SysWOW64\lenyunsk.exe

MD5 e6185d4b4ff10b58f876babe5db6bfe6
SHA1 ad39f69563dac75355d8cf42f733d85da7c48aee
SHA256 e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab
SHA512 b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181

memory/1804-4-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1804-11-0x0000000000230000-0x0000000000240000-memory.dmp

memory/2260-12-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1804-13-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1804-17-0x0000000000230000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat

MD5 6933dc7d4e6e364ae8bc4650876f6499
SHA1 6e0728e32a39fdf72847536b63042a43c698c6d9
SHA256 edf96aa2228fad182390c65d802910fd2e9c4280bc131bfe1a7865b5f65a37b0
SHA512 33ba49e8ca8344cc3aabfcf5613839f693ca583348c724adce030e983800f1f12d2e535733cc1839a43e08690a8dfa45f557e10b1c189ad40452c00f97a9ab77

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:19

Reported

2024-04-07 23:21

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\lenyunsk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lenyunsk.exe C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lenyunsk.exe C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lenyuns.dll C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"

C:\Windows\SysWOW64\lenyunsk.exe

C:\Windows\system32\lenyunsk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1568-0-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\SysWOW64\lenyunsk.exe

MD5 e6185d4b4ff10b58f876babe5db6bfe6
SHA1 ad39f69563dac75355d8cf42f733d85da7c48aee
SHA256 e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab
SHA512 b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181

memory/1568-6-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2220-7-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat

MD5 6933dc7d4e6e364ae8bc4650876f6499
SHA1 6e0728e32a39fdf72847536b63042a43c698c6d9
SHA256 edf96aa2228fad182390c65d802910fd2e9c4280bc131bfe1a7865b5f65a37b0
SHA512 33ba49e8ca8344cc3aabfcf5613839f693ca583348c724adce030e983800f1f12d2e535733cc1839a43e08690a8dfa45f557e10b1c189ad40452c00f97a9ab77