Malware Analysis Report

2025-01-17 23:20

Sample ID 240603-qpca7ahc66
Target 91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118
SHA256 12f84904d2b5289fadce4207bea971cb39cca70e6e91854d64644d79e8e845fa
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

12f84904d2b5289fadce4207bea971cb39cca70e6e91854d64644d79e8e845fa

Threat Level: Shows suspicious behavior

The file 91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:25

Reported

2024-06-03 13:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp" /SL5="$80182,4461876,52224,C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.hanzify.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1480-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1480-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp

MD5 c37ef257e73cf99d88b4c0fd1052d642
SHA1 1ffcd1abc27c0de01271fe3b537fa8dffd28da79
SHA256 c3674acca6f7347f48d1f282d95b9a98f95c20347b70adadc6ed8d13a772fbdd
SHA512 62b795de46640e194603375e0f654266a35a83ad7bbe06699b97997a85adc0c2040ee3e3fbf44d307449ebb56b22536c343e8af994a32fe1b711424dc0040af4

memory/1208-10-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RM5FH.tmp\waterctrl.dll

MD5 103dc3f98191df59da4aeae79a48ade1
SHA1 78d6f1b8d1a02fd819a195a43d0cffd58d6162b1
SHA256 9f10c567d614e7c360778128d011fd3735b675ac6642d8f777b0f267347f7467
SHA512 33c4735975e5dcb43c6ecf56887370a076283d5ba5f6648343ed6ad0464ea95e5fc2c0f455587913e838aad149cf927b1d358d75af0ba8470e160bd5a0236089

memory/1480-19-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1208-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:25

Reported

2024-06-03 13:28

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp" /SL5="$30156,4461876,52224,C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.hanzify.org udp

Files

memory/3036-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3036-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp

MD5 c37ef257e73cf99d88b4c0fd1052d642
SHA1 1ffcd1abc27c0de01271fe3b537fa8dffd28da79
SHA256 c3674acca6f7347f48d1f282d95b9a98f95c20347b70adadc6ed8d13a772fbdd
SHA512 62b795de46640e194603375e0f654266a35a83ad7bbe06699b97997a85adc0c2040ee3e3fbf44d307449ebb56b22536c343e8af994a32fe1b711424dc0040af4

memory/2888-9-0x0000000000400000-0x00000000004B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I3U54.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-I3U54.tmp\waterctrl.dll

MD5 103dc3f98191df59da4aeae79a48ade1
SHA1 78d6f1b8d1a02fd819a195a43d0cffd58d6162b1
SHA256 9f10c567d614e7c360778128d011fd3735b675ac6642d8f777b0f267347f7467
SHA512 33c4735975e5dcb43c6ecf56887370a076283d5ba5f6648343ed6ad0464ea95e5fc2c0f455587913e838aad149cf927b1d358d75af0ba8470e160bd5a0236089

memory/3036-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2888-23-0x0000000000400000-0x00000000004B4000-memory.dmp