Malware Analysis Report

2024-11-30 04:06

Sample ID 240408-bfxs7scb74
Target e648282656e67d02140b1f8346ca84ce_JaffaCakes118
SHA256 236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3

Threat Level: Shows suspicious behavior

The file e648282656e67d02140b1f8346ca84ce_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:05

Reported

2024-04-08 01:08

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\626.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.softologic.com udp
US 13.248.169.48:80 www.softologic.com tcp
US 8.8.8.8:53 api.mixpanel.com udp
US 130.211.34.183:80 api.mixpanel.com tcp

Files

memory/2340-0-0x0000000010000000-0x0000000010134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\626.bat

MD5 2d55d29db16e7dc9b13d0cffe7c9741d
SHA1 51d78315a6757707d0cfba6289d4df6ebafc7fbc
SHA256 6abe54e56c39a3f61e5d8c5123691365832a47f311878aec808242e775168ad8
SHA512 2ec87d42b16d8ded32e1106816622826f9fff8bd4a725cc8b0ddd673598fd568be59c6f4cdf36f8943c1673bc0c5766a39e28fbde680efc657e76163af63da2f

C:\Users\Admin\AppData\Local\Temp\803975.exe

MD5 e648282656e67d02140b1f8346ca84ce
SHA1 ad3a3314292c48307d3de710aee4c96d801c9a44
SHA256 236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3
SHA512 e6ea4720a54ce1ef4455b142c2c6bbed06b7e6d07d50c4230d54b77be219350ec7323a6442f2fa37fd023faecb3f5067abd2819d5907a67da608a893b08aa7dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:05

Reported

2024-04-08 01:08

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Processes

C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\484.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.softologic.com udp
US 13.248.169.48:80 www.softologic.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.mixpanel.com udp
US 107.178.240.159:80 api.mixpanel.com tcp
US 8.8.8.8:53 159.240.178.107.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4356-0-0x0000000010000000-0x0000000010134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\484.bat

MD5 dc8515cf14ea618adde9fe241bc9a874
SHA1 7203882cc500acc2ac03ca358af38f31b5b56564
SHA256 308cc18f0634f726b1dafcf19bb20b71013de9a6f7c6a6713c05eb337c5b9817
SHA512 b3d16035bd9f7c3b78872ee5d8893019ce201624620b7e199cd769114409042e266b4ec7988de499e56e9625a5cfbebb42501e6cb91c8278f77387a7a73e8435

C:\Users\Admin\AppData\Local\Temp\803975.exe

MD5 e648282656e67d02140b1f8346ca84ce
SHA1 ad3a3314292c48307d3de710aee4c96d801c9a44
SHA256 236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3
SHA512 e6ea4720a54ce1ef4455b142c2c6bbed06b7e6d07d50c4230d54b77be219350ec7323a6442f2fa37fd023faecb3f5067abd2819d5907a67da608a893b08aa7dd