Malware Analysis Report

2024-09-23 06:04

Sample ID 240605-fnsxfafg37
Target 973ce084c185c644578572d6a06676b6_JaffaCakes118
SHA256 07768bcab0896901a06d6650a84c35597358eb3c25ee490a7ea23f20cd7eda52
Tags
gandcrab backdoor ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07768bcab0896901a06d6650a84c35597358eb3c25ee490a7ea23f20cd7eda52

Threat Level: Known bad

The file 973ce084c185c644578572d6a06676b6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor ransomware

GandCrab payload

Gandcrab family

Gandcrab

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-05 05:02

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A

Gandcrab family

gandcrab

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 05:01

Reported

2024-06-05 05:14

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 124

Network

N/A

Files

memory/2904-0-0x000000000FCD0000-0x000000000FCE69F8-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 05:01

Reported

2024-06-05 05:15

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe"

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

Processes

C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\973ce084c185c644578572d6a06676b6_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/1904-0-0x000000000F950000-0x000000000F9669F8-memory.dmp

memory/1904-1-0x000000000F950000-0x000000000F9669F8-memory.dmp