Malware Analysis Report

2025-04-14 02:52

Sample ID 240603-jl1faahf48
Target 90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118
SHA256 06dcf0380bc567ba8e97ee6aca99f55107ee4b78be4835b42bcce46c621af9e8
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06dcf0380bc567ba8e97ee6aca99f55107ee4b78be4835b42bcce46c621af9e8

Threat Level: Shows suspicious behavior

The file 90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:46

Reported

2024-06-03 07:48

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe

"C:\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe" ins.exe /t1023b576cd9b950c8e7a8b9867a54c /e9504441 /uc44c0242-e47d-11e2-b66b-00259033c1da

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.socdn.com udp
US 13.248.148.254:80 api.socdn.com tcp

Files

memory/1644-0-0x0000000000400000-0x000000000047C000-memory.dmp

memory/1644-5-0x0000000000820000-0x0000000000830000-memory.dmp

\Users\Admin\AppData\Local\Temp\ins2347\ins2347.exe

MD5 ae117f47bd80e5dcf72cf81347fceb73
SHA1 1cd3e4c5fc9fb317b7a8eae6c94d53078800b635
SHA256 49b0ec8a4000cb30f15b318bef4b6f59be2d0f7365be4c4b2b4fd5607e16e23c
SHA512 72d322ec9b13e9ede1967707129f2941328ec75487aa5ea205eab0780ef26c33f253204ce08932052a6ed19d13bd62e68b4f795ef17717b9f31e5a76a9f0c16f

memory/2180-17-0x00000000744D1000-0x00000000744D2000-memory.dmp

memory/2180-18-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2180-19-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1644-20-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2180-21-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1644-22-0x0000000000400000-0x000000000047C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:46

Reported

2024-06-03 07:48

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ff3115ec5fb4ffb20bd2ee4a9e0984_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe

"C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe" ins.exe /t1023b576cd9b950c8e7a8b9867a54c /e9504441 /uc44c0242-e47d-11e2-b66b-00259033c1da

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.socdn.com udp
US 13.248.148.254:80 api.socdn.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.248.148.254:80 api.socdn.com tcp
US 13.248.148.254:80 api.socdn.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3588-0-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ins2350\ins2350.exe

MD5 ae117f47bd80e5dcf72cf81347fceb73
SHA1 1cd3e4c5fc9fb317b7a8eae6c94d53078800b635
SHA256 49b0ec8a4000cb30f15b318bef4b6f59be2d0f7365be4c4b2b4fd5607e16e23c
SHA512 72d322ec9b13e9ede1967707129f2941328ec75487aa5ea205eab0780ef26c33f253204ce08932052a6ed19d13bd62e68b4f795ef17717b9f31e5a76a9f0c16f

memory/4208-12-0x00000000735F2000-0x00000000735F3000-memory.dmp

memory/4208-13-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/4208-14-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/4208-17-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/4208-18-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/4208-19-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/4208-20-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/3588-21-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4208-23-0x00000000735F0000-0x0000000073BA1000-memory.dmp

memory/3588-24-0x0000000000400000-0x000000000047C000-memory.dmp