Malware Analysis Report

2024-11-13 14:28

Sample ID 240604-ah2dqsfb35
Target 9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118
SHA256 297f5728b2745385894404fb56f2bdb83f6565cf74aafcc101c372022af152c6
Tags
poullight spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

297f5728b2745385894404fb56f2bdb83f6565cf74aafcc101c372022af152c6

Threat Level: Known bad

The file 9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

poullight spyware stealer trojan

Poullight Stealer payload

Poullight family

Poullight

Reads user/profile data of web browsers

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:13

Signatures

Poullight Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Poullight family

poullight

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:13

Reported

2024-06-04 00:16

Platform

win7-20240221-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"

Signatures

Poullight

trojan stealer poullight

Poullight Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0427103.xsph.ru udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp

Files

memory/1652-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

memory/1652-1-0x0000000001310000-0x0000000001330000-memory.dmp

memory/1652-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwmzlrvf-k

MD5 cca646afddab881d02bb60864ff72e23
SHA1 25b462e62a0219857cc854f6433e8acea77e3dbc
SHA256 c7223e5de0b0db22b3e193b2d48215816c75472ccdf9330a0ab66d4731b2e49e
SHA512 c35da6cfe5e4a3f887a876b38b4e5b9e6d5c035cf8d6f20158f89ee14a196941fd6a29faa1f90f64cd253556536670773ec15cd358014d994483a8745c41587d

memory/1652-74-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

memory/1652-75-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:13

Reported

2024-06-04 00:16

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"

Signatures

Poullight

trojan stealer poullight

Poullight Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9317bbbc3823a23e4f439649eb9a65a5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 f0427103.xsph.ru udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 141.8.197.42:80 f0427103.xsph.ru tcp
RU 141.8.197.42:80 f0427103.xsph.ru tcp

Files

memory/2264-0-0x000001EC46360000-0x000001EC46380000-memory.dmp

memory/2264-1-0x00007FFA85653000-0x00007FFA85655000-memory.dmp

memory/2264-2-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

memory/2264-4-0x000001EC480A0000-0x000001EC480AA000-memory.dmp

memory/2264-29-0x000001EC61A50000-0x000001EC61C12000-memory.dmp

memory/2264-32-0x000001EC62150000-0x000001EC62678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cz8rwivq

MD5 9df444e0de734921d4d96deeeac4b16e
SHA1 31542622ecf896b93d830e21595091aef8742901
SHA256 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900
SHA512 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957

memory/2264-49-0x000001EC609B0000-0x000001EC609C2000-memory.dmp

memory/2264-80-0x000001EC609D0000-0x000001EC609F4000-memory.dmp

memory/2264-82-0x00007FFA85653000-0x00007FFA85655000-memory.dmp

memory/2264-83-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

memory/2264-84-0x000001EC609D0000-0x000001EC609F4000-memory.dmp

memory/2264-94-0x000001EC609D0000-0x000001EC609F4000-memory.dmp