Malware Analysis Report

2025-04-14 04:33

Sample ID 240612-w44xmsvfjb
Target a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118
SHA256 2a25b5d94792b3a014f279dfabf23a59bcc3857a664a9ba790944d2ad48a86c9
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a25b5d94792b3a014f279dfabf23a59bcc3857a664a9ba790944d2ad48a86c9

Threat Level: Known bad

The file a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Windows\AppPatch\svchost.exe

MD5 1a4d3917e20b70fb7c26194deb0b40f9
SHA1 cef6429b496c0bb4dd481687aa44e34b710d9825
SHA256 421763ec9ecbb49f320bb917e75f808e5a847b0208fca8db98a59eaf458d028f
SHA512 e5f89b83d835e51cf908d4d792422da13142616a7ec6fc75881df944838424c794591c79d107b5f364b7e7942c33ec79ed9896e90f1183ed404861491986cc29

memory/1736-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1996-14-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-22-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-20-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-18-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-16-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-24-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/1996-25-0x0000000002350000-0x0000000002406000-memory.dmp

memory/1996-27-0x0000000002350000-0x0000000002406000-memory.dmp

memory/1996-31-0x0000000002350000-0x0000000002406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3a4f0a00 = "–ÖúbQ€:Ä;ýѯv\x06\x14Y_\x15<§\u008f‚ß\rœ‡t+ž„²ßV¼Ì¨U.´/\x1bάŽ_–\x15£í”uÝ\x1c<$N¦\x1f\\..6†uu”.\v›pæ“–\f#ŸK,¾H†„à¿‹L\u009d[¾†\u009d´6ï”TÈF½-tÎã<¤“\x18H{$•¸çç…—^ <>ãÓ|wÖÔŽDÕ›.æVvý\x1cu{Uë|\x1c\fΞw\b»¯\x1c½f»?s7\v;]<\u008d\x0e\v}ÞlÅ\x13¬\x18¼\x18wö|ÀF¼SȇÔ-KŒh•äý\x1e~Ó—5lgn«U\bµƒÓF…ÎÐHÛÝŒåc«Ìä/T& ”^›õ#®–<ßæ0Õwp\x7fÆ„ÄtÔ_Ö€þ¬>Ó§P.\x14dMT\x1c=Ý" C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3a4f0a00 = "–ÖúbQ€:Ä;ýѯv\x06\x14Y_\x15<§\u008f‚ß\rœ‡t+ž„²ßV¼Ì¨U.´/\x1bάŽ_–\x15£í”uÝ\x1c<$N¦\x1f\\..6†uu”.\v›pæ“–\f#ŸK,¾H†„à¿‹L\u009d[¾†\u009d´6ï”TÈF½-tÎã<¤“\x18H{$•¸çç…—^ <>ãÓ|wÖÔŽDÕ›.æVvý\x1cu{Uë|\x1c\fΞw\b»¯\x1c½f»?s7\v;]<\u008d\x0e\v}ÞlÅ\x13¬\x18¼\x18wö|ÀF¼SȇÔ-KŒh•äý\x1e~Ó—5lgn«U\bµƒÓF…ÎÐHÛÝŒåc«Ìä/T& ”^›õ#®–<ßæ0Õwp\x7fÆ„ÄtÔ_Ö€þ¬>Ó§P.\x14dMT\x1c=Ý" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp

Files

C:\Windows\apppatch\svchost.exe

MD5 6cde2fbb3e7380533540f1e7c3717c34
SHA1 c5f7632a1a4504a233b900fe1dedc1233f0f5ba4
SHA256 1e95ca2377b67497e3ae350a0bffb72e3173a12a9fe67a685ffa1f701500e9f0
SHA512 c0e8ba27c8b39223ff7e7eb02f265f971470340ed80147651ec5511e59fac1f37e9112636f95563cf990c66ddee92b5501977b869a460c84e93504af1ab45c0a

memory/1356-9-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3140-10-0x0000000002940000-0x00000000029E8000-memory.dmp

memory/3140-11-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/3140-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/3140-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp