Malware Analysis Report

2025-01-06 11:57

Sample ID 240603-fhkc4sca8y
Target 9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118
SHA256 22c39b9d9f1d371c87b160652b140e816f8293a9b3d71db860f049dd1c2265a7
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

22c39b9d9f1d371c87b160652b140e816f8293a9b3d71db860f049dd1c2265a7

Threat Level: Likely malicious

The file 9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:52

Reported

2024-06-03 04:54

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe

"C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe" 4c8cb9ea222f583e2a631e08Zn4YmVBzconAIdQmc1UfCPXwTE8XZFFGzuGrxWv+ZRnd7sUWO8okHnqoEUwioCIDWerGcw8eg85Y/aBaWRNcEB0khl28zCQednD6i3oYvuVc4aV3mvqDEGkAXYYcFbBOXQZxyWlSsnu/pzhpFW1V7xrCUda9Az0h6xSpTLyJ /v "C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 th.symcd.com udp
US 152.199.19.74:80 th.symcd.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 00891.northstar.api.socdn.com udp
US 76.223.26.96:80 00891.northstar.api.socdn.com tcp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 76.223.26.96:80 00891.northstar.api.socdn.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\n1068\s1068.exe

MD5 39b961520af5ab4b1420140e76e0fd2f
SHA1 96c6c87fd9b46625e1f364d833a8231d463f0fd5
SHA256 0533cd8f934b9763d09a1e164ac02b67d6df34eb7584f783adaf7a777ce48cea
SHA512 69d86ce653e8f5ab7c9c45e9e05dd5a12b31d739fef0881e63c917fe0ccbe9177b59e92b33dd3774d53bdd1837abb571bea43fd1297ecf4359b607716454668a

memory/2308-12-0x00007FFC371B5000-0x00007FFC371B6000-memory.dmp

memory/2308-13-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-29-0x0000000001210000-0x0000000001220000-memory.dmp

memory/2308-32-0x000000001C780000-0x000000001CC4E000-memory.dmp

memory/2308-33-0x000000001CC50000-0x000000001CCEC000-memory.dmp

memory/2308-34-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-35-0x000000001CE30000-0x000000001CE92000-memory.dmp

memory/2308-36-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-37-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-38-0x0000000001440000-0x0000000001448000-memory.dmp

memory/2308-39-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-40-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-41-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-42-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-43-0x00007FFC371B5000-0x00007FFC371B6000-memory.dmp

memory/2308-44-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-45-0x00000000203C0000-0x00000000204FC000-memory.dmp

memory/2308-47-0x0000000020A10000-0x0000000020F1E000-memory.dmp

memory/2308-46-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-48-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-49-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-50-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

memory/2308-52-0x00007FFC36F00000-0x00007FFC378A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:52

Reported

2024-06-03 04:54

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9096b2dc00ff680a755c7fbd66c5f824_JaffaCakes118.exe"

Network

N/A

Files

N/A