Malware Analysis Report

2024-11-30 04:13

Sample ID 240408-a4j2ksbf41
Target e63e26386d42b8fa9946472015e6a1af_JaffaCakes118
SHA256 abfeef7be079feca6478a96e982a5bfebae0334b87293abcf52a9806f2d9922d
Tags
spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

abfeef7be079feca6478a96e982a5bfebae0334b87293abcf52a9806f2d9922d

Threat Level: Shows suspicious behavior

The file e63e26386d42b8fa9946472015e6a1af_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 00:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 00:45

Reported

2024-04-08 00:48

Platform

win7-20231129-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
PID 2344 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming

Network

Country Destination Domain Proto
US 8.8.8.8:53 lostpropaganda.net udp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 separatemilkandtee.com udp
US 8.8.8.8:53 zonedg.com udp
US 8.8.8.8:53 zonedg.com udp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
HK 154.211.84.30:80 zonedg.com tcp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:80 www.google.com tcp
US 8.8.8.8:53 bookonlinecatalog.com udp
HK 154.211.84.30:80 zonedg.com tcp
DE 172.217.16.196:80 www.google.com tcp
N/A 127.0.0.1:62848 tcp

Files

memory/2344-3-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2344-1-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Roaming\38F5.34A

MD5 d96340c72428b7cf865e7f5a89da222d
SHA1 34762e886aaa8cb09ddf6561a2e891ef964eb604
SHA256 638bf10c28392bb63a801ef61637686daa3ba2d04fac84472832335b3071ecce
SHA512 957c98af73ff372a792d26b2a7d01e86bfdd8927074e61ab1b31711f054e8fef9d0cf2d660fbe39b9564933370b87cd4f88d0e9e7937d2e49da2ab82c96be881

memory/2840-18-0x000000000050A000-0x0000000000524000-memory.dmp

memory/2840-17-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Roaming\38F5.34A

MD5 1e6d2d7e32fca9fcd02df818ae8cc846
SHA1 dc0d4d8f3eda452536da04b35957d2a72e79929e
SHA256 50aa345e89e07461c16f999cebd9a53d5e93447ca1ebd88d872e2f24c3467cf9
SHA512 5d4b3870ee544b5db43140e0580af6c24f9b0a65c9eb59e5ded2cdf477e323019938b5ae67185cbf74538d32267630b42e1d21efdd97acdbe7d868088d396308

C:\Users\Admin\AppData\Roaming\38F5.34A

MD5 29ba369811ffa5632a2131d0d533734b
SHA1 89fd8bac1947857a4ec2e8ca2c4fd4d23f72b514
SHA256 597852d533a166c93437481afbe6d6a6d88a4a484b0b81c5cd20f623f64e813e
SHA512 0f741511e8510b115eaea6f767ed0da7739dbfd3e6c390ff0aa51b4f56e3f4cd2859a321d130180743bf58f7b03fbbbd77f2f724e5d2d6bb02e3922d210c1079

memory/2436-85-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2436-87-0x0000000000549000-0x0000000000564000-memory.dmp

memory/2344-86-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2344-88-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2344-89-0x0000000000520000-0x0000000000620000-memory.dmp

C:\Users\Admin\AppData\Roaming\38F5.34A

MD5 7b6ac1178cd5a255f984d0a7e78c791d
SHA1 61c5e9e35ec6319bdb8666420637976eed4cf0c3
SHA256 4e3df651ccb6eb09e67c740280936831a06eeb6d5b8c38f432304607517afe51
SHA512 be0cad8f26589e8ea036de722d4cd8c9a8d186e67e9ab990f3143dfdd5b883230f7abf54f48f25c9e34348b4225bf926294bce995e6dceacd758a8486e215c54

memory/2344-157-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2344-188-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2344-190-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2344-196-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 00:45

Reported

2024-04-08 00:48

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A