Malware Analysis Report

2025-01-06 10:18

Sample ID 240601-e14zssad58
Target 895b93515b3798e4567e50fda270ae04_JaffaCakes118
SHA256 524233df22b5be7d949d962ee13011113d24978ff6ca5ca6dcc05cfa2fa8f75c
Tags
evasion spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

524233df22b5be7d949d962ee13011113d24978ff6ca5ca6dcc05cfa2fa8f75c

Threat Level: Shows suspicious behavior

The file 895b93515b3798e4567e50fda270ae04_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion spyware stealer trojan

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:25

Reported

2024-06-01 04:27

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\cookieman.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"

C:\Users\Admin\AppData\LocalLow\cookieman.exe

"C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read 1-vinstaller.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 1-vinstaller.com udp
US 172.120.151.124:80 1-vinstaller.com tcp
US 172.120.151.124:80 1-vinstaller.com tcp

Files

C:\Users\Admin\AppData\LocalLow\cookieman.exe

MD5 159fa93d571585d6f50206447e8bf7b7
SHA1 a21d571e777f5f70026180ea8f5169fe576af8c0
SHA256 01b7f78fa31081cc2b75225cb5720fbae4d3a47a7d4d097673beadd9abf967fd
SHA512 7d625268e65ef91ffdedceca411dcff3df4b8bf738a9bbac019c34e3e734221f3a6444229f0a3afc6c682693ecef25b1795779187a01a3a7c96e446fc96d74c1

C:\Users\Admin\AppData\LocalLow\cookie.ini

MD5 3f4519b56cb1e006dfe4341e72112913
SHA1 0ff5675d359c898b6a6bdc1dff10f71097bc9927
SHA256 125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2
SHA512 78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

C:\Users\Admin\AppData\Local\Temp\qs_419191e30\config.xml

MD5 a4314c3565d400d9a0798c655f910147
SHA1 3c677e37b2e9ec52fd8da3463cd2ddcf0f2e3670
SHA256 a36cc1a1319a0b44d969a449d3c4ce64e93653fa0d668e34e1dbc498e52cf7c1
SHA512 1896758418433806f2ca0c6bfd7cf35a7f20a9ec678c04107928d9b2858bf092f9213b234d8333d2c15da76cf3e4706ca52cdc01d12c2b0fd90e27b26ab3f998

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:25

Reported

2024-06-01 04:28

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\cookieman.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"

C:\Users\Admin\AppData\LocalLow\cookieman.exe

"C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read 1-vinstaller.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 1-vinstaller.com udp
US 172.120.151.124:80 1-vinstaller.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 124.151.120.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 172.120.151.124:80 1-vinstaller.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\cookieman.exe

MD5 159fa93d571585d6f50206447e8bf7b7
SHA1 a21d571e777f5f70026180ea8f5169fe576af8c0
SHA256 01b7f78fa31081cc2b75225cb5720fbae4d3a47a7d4d097673beadd9abf967fd
SHA512 7d625268e65ef91ffdedceca411dcff3df4b8bf738a9bbac019c34e3e734221f3a6444229f0a3afc6c682693ecef25b1795779187a01a3a7c96e446fc96d74c1

C:\Users\Admin\AppData\LocalLow\cookie.ini

MD5 3f4519b56cb1e006dfe4341e72112913
SHA1 0ff5675d359c898b6a6bdc1dff10f71097bc9927
SHA256 125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2
SHA512 78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

C:\Users\Admin\AppData\Local\Temp\qs_4191f15a0\config.xml

MD5 a4314c3565d400d9a0798c655f910147
SHA1 3c677e37b2e9ec52fd8da3463cd2ddcf0f2e3670
SHA256 a36cc1a1319a0b44d969a449d3c4ce64e93653fa0d668e34e1dbc498e52cf7c1
SHA512 1896758418433806f2ca0c6bfd7cf35a7f20a9ec678c04107928d9b2858bf092f9213b234d8333d2c15da76cf3e4706ca52cdc01d12c2b0fd90e27b26ab3f998