Malware Analysis Report

2025-01-02 12:15

Sample ID 240417-ck1lbsah68
Target f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118
SHA256 47132f3ba6d82c8c06f6235d8271ab7cc15abc408a9dde134c5f466a7fcd7e77
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47132f3ba6d82c8c06f6235d8271ab7cc15abc408a9dde134c5f466a7fcd7e77

Threat Level: Known bad

The file f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 02:08

Reported

2024-04-17 02:11

Platform

win7-20240221-en

Max time kernel

143s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1936 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDWzjRv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp"

C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

Network

Country Destination Domain Proto
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp

Files

memory/1936-0-0x0000000000E70000-0x0000000000F32000-memory.dmp

memory/1936-1-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1936-2-0x0000000000550000-0x0000000000590000-memory.dmp

memory/1936-3-0x00000000003E0000-0x00000000003FA000-memory.dmp

memory/1936-4-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1936-5-0x0000000000550000-0x0000000000590000-memory.dmp

memory/1936-6-0x0000000005780000-0x0000000005804000-memory.dmp

memory/1936-7-0x0000000000930000-0x0000000000942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp

MD5 d878321f3c18e4ac2bebaf25270dd6df
SHA1 70ea1222bb516b917aa3975823a4d1c2673fb971
SHA256 7ec93f3e52c28e18e4b452e546d3cad45aeab835d4353d0b7ae5bc611913892b
SHA512 c358fb121cd01787d3bf29d33ef178798683703e23dcacbdc47863d1e7ccb790fa63d328a9a0d9b9d97e5053967cdc86707b088ca655b531c5cd904e0d8e8982

memory/2488-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-17-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-19-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-27-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1936-29-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2488-28-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2488-30-0x0000000004410000-0x0000000004450000-memory.dmp

memory/2488-31-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2488-32-0x0000000004410000-0x0000000004450000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 02:08

Reported

2024-04-17 02:11

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe
PID 1600 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDWzjRv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp"

C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
US 8.8.8.8:53 udp

Files

memory/1600-1-0x0000000000950000-0x0000000000A12000-memory.dmp

memory/1600-0-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1600-2-0x0000000005900000-0x0000000005EA4000-memory.dmp

memory/1600-3-0x00000000053F0000-0x0000000005482000-memory.dmp

memory/1600-4-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1600-5-0x0000000005490000-0x000000000549A000-memory.dmp

memory/1600-6-0x0000000007D20000-0x0000000007DBC000-memory.dmp

memory/1600-7-0x00000000065B0000-0x00000000065CA000-memory.dmp

memory/1600-8-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1600-9-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1600-10-0x00000000068B0000-0x0000000006934000-memory.dmp

memory/1600-11-0x0000000006B10000-0x0000000006B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp

MD5 ac6b920cd4aea32fa188a35ff02facd0
SHA1 f537e2fa4cfca3f1bf5a0e78c91757c752fb0b62
SHA256 3b569c4ed3e46c043ac3131130da4c3508ecd3f3d26b1abb42972e4be6067e34
SHA512 13c51e5cef789f4c19fdbae440f99f6db1f139c9f2b5a386a3e05eb8e21f04c2d5707035de247c443d446ec1467a4d27bd3087b014ec8e9b85343f2e68049bd7

memory/3136-17-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f4cf3d6f128cd170a2285e2af9c67179_JaffaCakes118.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3136-20-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1600-21-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3136-22-0x0000000005040000-0x0000000005050000-memory.dmp

memory/3136-23-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3136-24-0x0000000005040000-0x0000000005050000-memory.dmp