Malware Analysis Report

2025-01-02 07:34

Sample ID 240510-kkpstsgd63
Target 2e448c667bcf8ad88fe4348710d16538_JaffaCakes118
SHA256 4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb
Tags
privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb

Threat Level: Known bad

The file 2e448c667bcf8ad88fe4348710d16538_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader loader

Privateloader family

PrivateLoader

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:39

Signatures

Privateloader family

privateloader

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:39

Reported

2024-05-10 08:42

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"

Signatures

PrivateLoader

loader privateloader

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
PID 2080 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe /q"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}" /IS_temp

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~26F3.tmp

MD5 8fa3208d5b60ec974c2ddb2781842837
SHA1 711a3b383d096261edd8be9c1fd19ea2458b356f
SHA256 48bc610ceb7407469ed19e7a90cc9739856000e71183ed9cabde7ca798766606
SHA512 e806bd270eba89de21b5f30f07fb49b9c1e2a3f9f88b43ac8a7d9650fee52f44376221d222ad0d339b18a38924fb9c05f3bf0ee741e1d3af376bbf24c9dfcf53

\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

MD5 2e448c667bcf8ad88fe4348710d16538
SHA1 8064fbca3b789366511fb3c87a9582e43b349e88
SHA256 4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb
SHA512 e24360da0a24d0ef56d67a1601d1909e925e2b9c519be08fecf535db3ea14ecd8441596991f02b953858d6c2525fa900ed34f9bd44bac308212346101cf584d4

C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\_ISMSIDEL.INI

MD5 96739555b12a230d46deaef794ac97c3
SHA1 4ffdeb148fb1b94e21cd8377aab8e75df7a60ec6
SHA256 cf70df7cb299f916118f1b2a3e714195abc173a4577e656dd38cefc2b95f5f64
SHA512 fde11f578f94075be14b6a2bae99b4c87054bdb6787237a547b9fbebc8c605473b74364569a4306c3b2864c884a7bc9b02977f0e7e891e0e1416ed5c1b121088

C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\0x0411.ini

MD5 76d722f8c2ba980e0f1ed27d09bb0da9
SHA1 313c885aa60959817b1cd9923d6ea0a780cf540f
SHA256 01b8625a29db41e0a190c0634ef3ee4f0878d2b56c92a407018b97bdf4ed7e7d
SHA512 e60d12477299892a93c596757c435f58b1818fd0b3cf154c822cd6f96249610cad7eb7e7f63fca563b401eab1296b4a7831377fb32c9437a3a506405e1b8a5f5

\Users\Admin\AppData\Local\Temp\_is27ED..dll

MD5 0ce4d3bd306da6d1f6f233c403f5b667
SHA1 15dd2e31c5e9dc223befc5cfb6ca01737b262412
SHA256 6428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad
SHA512 4275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:39

Reported

2024-05-10 08:42

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe /q"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}" /IS_temp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~E36D.tmp

MD5 8fa3208d5b60ec974c2ddb2781842837
SHA1 711a3b383d096261edd8be9c1fd19ea2458b356f
SHA256 48bc610ceb7407469ed19e7a90cc9739856000e71183ed9cabde7ca798766606
SHA512 e806bd270eba89de21b5f30f07fb49b9c1e2a3f9f88b43ac8a7d9650fee52f44376221d222ad0d339b18a38924fb9c05f3bf0ee741e1d3af376bbf24c9dfcf53

C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe

MD5 2e448c667bcf8ad88fe4348710d16538
SHA1 8064fbca3b789366511fb3c87a9582e43b349e88
SHA256 4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb
SHA512 e24360da0a24d0ef56d67a1601d1909e925e2b9c519be08fecf535db3ea14ecd8441596991f02b953858d6c2525fa900ed34f9bd44bac308212346101cf584d4

C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\_ISMSIDEL.INI

MD5 4f5fa1a0a56656296d66c8bbd9e60a03
SHA1 e64a035924d52ecc9b127c8ca2f149e396f048c6
SHA256 1422474bc3edd78ffc24c682e441674197f55cfe3da0af0c7b76f1e905faa382
SHA512 6afaf1a38ce87c36ca53e8155ec91718fb483e6e5075b541bdab1cdf5060d6eaf7f5b84314b399f8a1178b9757ea762c25a2d2e38677c337448ef3a02ab9a1a7

C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\0x0411.ini

MD5 76d722f8c2ba980e0f1ed27d09bb0da9
SHA1 313c885aa60959817b1cd9923d6ea0a780cf540f
SHA256 01b8625a29db41e0a190c0634ef3ee4f0878d2b56c92a407018b97bdf4ed7e7d
SHA512 e60d12477299892a93c596757c435f58b1818fd0b3cf154c822cd6f96249610cad7eb7e7f63fca563b401eab1296b4a7831377fb32c9437a3a506405e1b8a5f5