Malware Analysis Report

2024-07-11 07:31

Sample ID 240602-vz3ncahe41
Target 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118
SHA256 ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
Tags
diamondfox botnet evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283

Threat Level: Known bad

The file 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet evasion stealer trojan

Windows security bypass

Diamondfox family

UAC bypass

DiamondFox

DiamondFox stealer

Drops file in Drivers directory

Executes dropped EXE

Windows security modification

Drops startup file

Loads dropped DLL

Deletes itself

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

System policy modification

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-02 17:26

Signatures

DiamondFox stealer

Description Indicator Process Target
N/A N/A N/A N/A

Diamondfox family

diamondfox

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 17:26

Reported

2024-06-02 17:29

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox stealer

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0228275.xsph.ru udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 f0228275.xsph.ru udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 f0228275.xsph.ru udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp

Files

\Users\Admin\AppData\Roaming\svchost.exe

MD5 8eda529979d30636fb0fbb45c2da7977
SHA1 c8894ae2dc2d6f0225c72a2b19fb283a57f077fe
SHA256 ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
SHA512 537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c

C:\Users\Admin\AppData\Local\Temp\Melt.bat

MD5 2b4ac925d0131af926415461d760ac8e
SHA1 edd325b6ac9903f1195b19f1b028a5067193e1cc
SHA256 6ae190034e591dae070cf5550514fae731b01ec06d7c379827f9633f85320732
SHA512 f669447506687bd5a0a76fbb76f6124f358b1866085c5ac16cfba95199a3c8becbc268a6360af0a04a3fdde0e09ac204d2b7b6a1e1034070360076617aab574d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 17:26

Reported

2024-06-02 17:29

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox stealer

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Melt.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0228275.xsph.ru udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
US 8.8.8.8:53 f0228275.xsph.ru udp
RU 141.8.197.42:80 f0228275.xsph.ru tcp
RU 141.8.197.42:80 f0228275.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 8eda529979d30636fb0fbb45c2da7977
SHA1 c8894ae2dc2d6f0225c72a2b19fb283a57f077fe
SHA256 ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
SHA512 537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c

C:\Users\Admin\AppData\Local\Temp\Melt.bat

MD5 2b4ac925d0131af926415461d760ac8e
SHA1 edd325b6ac9903f1195b19f1b028a5067193e1cc
SHA256 6ae190034e591dae070cf5550514fae731b01ec06d7c379827f9633f85320732
SHA512 f669447506687bd5a0a76fbb76f6124f358b1866085c5ac16cfba95199a3c8becbc268a6360af0a04a3fdde0e09ac204d2b7b6a1e1034070360076617aab574d