Malware Analysis Report

2025-04-14 03:14

Sample ID 240612-y34llasemn
Target a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118
SHA256 aaa5ad3087ec9011c36cd77d5611f8d88fe72fc933e2469bad1703344b318767
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aaa5ad3087ec9011c36cd77d5611f8d88fe72fc933e2469bad1703344b318767

Threat Level: Shows suspicious behavior

The file a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks BIOS information in registry

Program crash

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 20:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 20:19

Reported

2024-06-12 20:22

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe
PID 2148 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

start

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

watch

Network

Country Destination Domain Proto
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp

Files

memory/2148-0-0x000000007EF90000-0x000000007EFAA000-memory.dmp

memory/2148-2-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-3-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-4-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-5-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-6-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-7-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-8-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-9-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-11-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-10-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-13-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-12-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-14-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-17-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-18-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-19-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-22-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-23-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-26-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-36-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2352-42-0x0000000000400000-0x00000000004CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 20:19

Reported

2024-06-12 20:22

Platform

win10v2004-20240508-en

Max time kernel

43s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 700

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

start

C:\Users\Admin\AppData\Local\Temp\a22cfe45e6506faed5a82de112d6d6e9_JaffaCakes118.exe

watch

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 700

Network

Country Destination Domain Proto
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp
US 8.8.8.8:53 bkjyuokuybiyp.increase-sixty.ru udp

Files

memory/4268-0-0x000000007FE30000-0x000000007FE4A000-memory.dmp

memory/4268-1-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4268-4-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4268-3-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-5-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-6-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-7-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-8-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-9-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-11-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-12-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-18-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-17-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-16-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-15-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-14-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-13-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-10-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-23-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-22-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-21-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-20-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-19-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-24-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-25-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-34-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-33-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-32-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-31-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-30-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-29-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-28-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-27-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-26-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-37-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-38-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-40-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-39-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-43-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-45-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-54-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-58-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-57-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-56-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-55-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-53-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-52-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-51-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-50-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-49-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-48-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-47-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-46-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-44-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-59-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-61-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-67-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-66-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-65-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-64-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-63-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-62-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-60-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-68-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-69-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-75-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-74-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-73-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-72-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-71-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-70-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-77-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-78-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-80-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-82-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-81-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4460-79-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-84-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-93-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-92-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-91-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-90-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-89-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-88-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-87-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-86-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-85-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-97-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-98-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-96-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-95-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4488-94-0x0000000000400000-0x00000000004CE000-memory.dmp