Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xbggbabf24
Target e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118
SHA256 931b61a21a21c5c6c4dd42ff0e0c744c2f683da14820e644b2f3e4f8ea0f74f6
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

931b61a21a21c5c6c4dd42ff0e0c744c2f683da14820e644b2f3e4f8ea0f74f6

Threat Level: Shows suspicious behavior

The file e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates processes with tasklist

Gathers network information

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:40

Reported

2024-04-07 18:43

Platform

win7-20231129-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2384 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2384 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2384 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2384 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2384 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2384 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2384 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2384 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2656 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2384 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2384 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2384 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2384 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp

Files

\??\c:\windows\temp\flash.log

MD5 3ebb670afbe65b2b17da5b67141aae93
SHA1 0a001dc49b04c45d6fc86a0813c3f2fffd292d48
SHA256 4b2cc04ac9f067deaeba9e9b83a2852dab17355db59ad05d304591603daa6efe
SHA512 90145bfa627e89b8837e90a7517b89d95c41ba0d9928d8d8ea75f2afedcdb035deced1519fc87d19a22f9a4d8f9e74f73f0360e3f8dc890a6770dfd335ea87c3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:40

Reported

2024-04-07 18:43

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1328 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1328 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1328 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1328 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1328 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1328 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1328 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1328 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2768 wrote to memory of 5008 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 5008 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 5008 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1328 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 1328 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 1328 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59a0f3ca70a1893b785c0e823ca6721_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.kvic.jp udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp

Files

\??\c:\windows\temp\flash.log

MD5 8a89c8626aefa33c2c33b4ce752f01a1
SHA1 ae2aa31e9a69c8a8d7d4304c4fa73375bdd18d66
SHA256 65831f178329848e84e6685c326f7a30ad1f6e00d62c77b83822ef7731b0c3d6
SHA512 9c9f915ebedb1c9f2c7ce2a9f1d642d8b24ac1b091766220fbe5061454f9f04e54ca5f92acd0f7d134a7e453871e0d971a3ce9880b3991ddc03d905841e13e17