Malware Analysis Report

2025-01-02 12:10

Sample ID 240419-rvzt4seg29
Target fa81aab0bc348b79744852e65e2043df_JaffaCakes118
SHA256 1137a722df5bf7b96cdbf121282b328f429b895aa60f8a0caf120177303e1299
Tags
asyncrat default evasion rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1137a722df5bf7b96cdbf121282b328f429b895aa60f8a0caf120177303e1299

Threat Level: Known bad

The file fa81aab0bc348b79744852e65e2043df_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

asyncrat default evasion rat

AsyncRat

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:31

Reported

2024-04-19 14:34

Platform

win7-20240215-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"'

Network

Country Destination Domain Proto
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp

Files

memory/2392-0-0x0000000001060000-0x00000000012F0000-memory.dmp

memory/2392-1-0x0000000076E00000-0x0000000076EF0000-memory.dmp

memory/2392-4-0x00000000751D0000-0x00000000751D9000-memory.dmp

memory/2392-3-0x0000000075080000-0x00000000750CA000-memory.dmp

memory/2392-2-0x0000000076D30000-0x0000000076DFC000-memory.dmp

memory/2392-6-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2392-5-0x0000000001060000-0x00000000012F0000-memory.dmp

memory/2392-7-0x0000000001060000-0x00000000012F0000-memory.dmp

memory/2392-8-0x0000000074750000-0x000000007475B000-memory.dmp

memory/2392-9-0x0000000006F30000-0x0000000006F70000-memory.dmp

memory/2392-10-0x0000000074730000-0x0000000074747000-memory.dmp

memory/2392-11-0x00000000773D0000-0x00000000774ED000-memory.dmp

memory/2392-12-0x00000000746B0000-0x00000000746CC000-memory.dmp

memory/2392-13-0x0000000074610000-0x0000000074619000-memory.dmp

memory/2392-14-0x0000000074620000-0x00000000746A0000-memory.dmp

memory/2392-15-0x0000000077220000-0x00000000772A3000-memory.dmp

memory/2392-16-0x0000000075080000-0x00000000750CA000-memory.dmp

memory/2392-17-0x0000000076550000-0x00000000766ED000-memory.dmp

memory/2392-18-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2392-20-0x0000000006F30000-0x0000000006F70000-memory.dmp

memory/2392-21-0x00000000773D0000-0x00000000774ED000-memory.dmp

memory/2392-23-0x0000000074620000-0x00000000746A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:31

Reported

2024-04-19 14:34

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 51.143.89.185:8080 tcp
US 51.143.89.185:8080 tcp

Files

memory/2568-0-0x0000000000A70000-0x0000000000D00000-memory.dmp

memory/2568-2-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2568-1-0x0000000000A70000-0x0000000000D00000-memory.dmp

memory/2568-3-0x0000000000A70000-0x0000000000D00000-memory.dmp

memory/2568-4-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2568-5-0x0000000007260000-0x00000000072FC000-memory.dmp

memory/2568-8-0x0000000000A70000-0x0000000000D00000-memory.dmp

memory/2568-9-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2568-10-0x0000000007390000-0x00000000073A0000-memory.dmp