Malware Analysis Report

2025-03-14 23:15

Sample ID 240407-w588rabd66
Target e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118
SHA256 e43799d1859b6c92c625a423a36184a7089c0ce2fd6e5fd5aa9008f7e977f446
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e43799d1859b6c92c625a423a36184a7089c0ce2fd6e5fd5aa9008f7e977f446

Threat Level: Shows suspicious behavior

The file e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:31

Reported

2024-04-07 18:34

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\NetMeeting\ravytmon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ravytmon = "C:\\Program Files\\NetMeeting\\ravytmon.exe" C:\Program Files\NetMeeting\ravytmon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\NetMeeting\ravytmon.exe C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NetMeeting\ravytmon.cfg C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NetMeeting\ravytmon.dat C:\Program Files\NetMeeting\ravytmon.exe N/A
File created C:\Program Files\NetMeeting\ravytmon.dat C:\Program Files\NetMeeting\ravytmon.exe N/A
File opened for modification C:\Program Files\NetMeeting\ravytmon.exe C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\NetMeeting\ravytmon.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe"

C:\Program Files\NetMeeting\ravytmon.exe

"C:\Program Files\NetMeeting\ravytmon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe"

Network

N/A

Files

\Program Files\NetMeeting\ravytmon.exe

MD5 e5955d82ab3ce0fadf6553a8186d5906
SHA1 1fa8c2143aa44651ce6b7330575224caaaa3f8e7
SHA256 e43799d1859b6c92c625a423a36184a7089c0ce2fd6e5fd5aa9008f7e977f446
SHA512 f3dde48d215f5d6b4c94eddd723525664213c0c1072525de7e2f55aaaa2b8b7329540b7c5e12845fb19135cf1684471c62214182b353ad84418fa4e5714a1d98

memory/1368-16-0x0000000002E80000-0x0000000002E81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:31

Reported

2024-04-07 18:34

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\NetMeeting\ravytmon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ravytmon = "C:\\Program Files\\NetMeeting\\ravytmon.exe" C:\Program Files\NetMeeting\ravytmon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\NetMeeting\ravytmon.exe C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A
File created C:\Program Files\NetMeeting\ravytmon.exe C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NetMeeting\ravytmon.cfg C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NetMeeting\ravytmon.dat C:\Program Files\NetMeeting\ravytmon.exe N/A
File created C:\Program Files\NetMeeting\ravytmon.dat C:\Program Files\NetMeeting\ravytmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\NetMeeting\ravytmon.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe"

C:\Program Files\NetMeeting\ravytmon.exe

"C:\Program Files\NetMeeting\ravytmon.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\e5955d82ab3ce0fadf6553a8186d5906_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Program Files\NetMeeting\ravytmon.exe

MD5 e5955d82ab3ce0fadf6553a8186d5906
SHA1 1fa8c2143aa44651ce6b7330575224caaaa3f8e7
SHA256 e43799d1859b6c92c625a423a36184a7089c0ce2fd6e5fd5aa9008f7e977f446
SHA512 f3dde48d215f5d6b4c94eddd723525664213c0c1072525de7e2f55aaaa2b8b7329540b7c5e12845fb19135cf1684471c62214182b353ad84418fa4e5714a1d98