Malware Analysis Report

2024-11-30 02:44

Sample ID 240407-wbm4esad83
Target e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118
SHA256 04d33f6a986266cd84e4a2dc479fddaee035d139b0773eb3be36ff2740b781e5
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

04d33f6a986266cd84e4a2dc479fddaee035d139b0773eb3be36ff2740b781e5

Threat Level: Shows suspicious behavior

The file e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads local data of messenger clients

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:44

Reported

2024-04-07 17:47

Platform

win7-20240215-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win29.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI35 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI82.exe\"" C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1280 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 1280 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\win29.exe

C:\Users\Admin\AppData\Local\Temp\win29.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

memory/1280-0-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/1280-1-0x00000000007F0000-0x0000000000830000-memory.dmp

memory/1280-2-0x0000000074220000-0x00000000747CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\win29.exe

MD5 5e5ecae8b08152c885904cde71c50dad
SHA1 727f24d102ab29be690c783ddc149b3a39430fb6
SHA256 b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541
SHA512 dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

memory/3028-12-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-10-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-14-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-18-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-16-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-22-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3028-25-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3028-27-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1280-29-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/3028-31-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2576-32-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2576-33-0x0000000000390000-0x0000000000391000-memory.dmp

memory/3028-36-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Roaming\hk_20080211_skiboat2.jpg

MD5 94ead5328697a594fc358b33fd0dc87a
SHA1 47459c7be4e25196b260d87189dc8fd45f75f96d
SHA256 d075cff3768d020b436417a0567f4e1e6c4e872c82b3242d16389c0c1e4ae103
SHA512 d69dbeadc209089c6049d9e21992f52db0dc6f513a316df0267acf6a46345b5924296ecc27502a471dc8a289a11fb2a5f72e2ceacae718427a8fab0d5f6950b2

memory/2576-39-0x0000000000390000-0x0000000000391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:44

Reported

2024-04-07 17:47

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win29.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI35 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI82.exe\"" C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2300 set thread context of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe
PID 2300 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\win29.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\win29.exe

C:\Users\Admin\AppData\Local\Temp\win29.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2300-0-0x0000000075050000-0x0000000075601000-memory.dmp

memory/2300-1-0x00000000015E0000-0x00000000015F0000-memory.dmp

memory/2300-2-0x0000000075050000-0x0000000075601000-memory.dmp

memory/1624-5-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\win29.exe

MD5 5e5ecae8b08152c885904cde71c50dad
SHA1 727f24d102ab29be690c783ddc149b3a39430fb6
SHA256 b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541
SHA512 dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

memory/1624-10-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1624-13-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2300-14-0x0000000075050000-0x0000000075601000-memory.dmp

memory/1624-17-0x0000000000400000-0x000000000045D000-memory.dmp