Malware Analysis Report

2025-01-18 02:35

Sample ID 240613-bmrwjasdql
Target a3528c863eae765001ffaca41052d589_JaffaCakes118
SHA256 55ac0ad40cd8d7f3d7bbe57e58358531dba087a4b53fdaf0a4e1cd00025a4394
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

55ac0ad40cd8d7f3d7bbe57e58358531dba087a4b53fdaf0a4e1cd00025a4394

Threat Level: Shows suspicious behavior

The file a3528c863eae765001ffaca41052d589_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:16

Reported

2024-06-13 01:18

Platform

win7-20240220-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe

"C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 api.v2.secdls.com udp
US 8.8.8.8:53 staticrr.paleokits.net udp
US 8.8.8.8:53 staticrr.sslsecure1.com udp
FI 193.166.255.171:80 staticrr.sslsecure1.com tcp
US 8.8.8.8:53 staticrr.sslsecure2.com udp
US 8.8.8.8:53 staticrr.sslsecure3.com udp
US 8.8.8.8:53 staticrr.sslsecure4.com udp
US 8.8.8.8:53 staticrr.sslsecure5.com udp
US 8.8.8.8:53 staticrr.sslsecure6.com udp
US 8.8.8.8:53 staticrr.sslsecure7.com udp
US 8.8.8.8:53 staticrr.sslsecure8.com udp
US 8.8.8.8:53 staticrr.sslsecure9.com udp
US 8.8.8.8:53 staticrr.sslsecure10.com udp
US 8.8.8.8:53 track.v2.secdls.com udp
US 8.8.8.8:53 track.v2.sslsecure1.com udp
FI 193.166.255.171:80 track.v2.sslsecure1.com tcp
US 8.8.8.8:53 track.v2.sslsecure2.com udp
US 8.8.8.8:53 track.v2.sslsecure3.com udp
US 8.8.8.8:53 track.v2.sslsecure4.com udp
US 8.8.8.8:53 track.v2.sslsecure5.com udp
US 8.8.8.8:53 track.v2.sslsecure6.com udp
US 8.8.8.8:53 track.v2.sslsecure7.com udp
US 8.8.8.8:53 track.v2.sslsecure8.com udp
US 8.8.8.8:53 track.v2.sslsecure9.com udp
US 8.8.8.8:53 track.v2.sslsecure10.com udp
US 8.8.8.8:53 api.v2.sslsecure1.com udp
FI 193.166.255.171:80 api.v2.sslsecure1.com tcp
US 8.8.8.8:53 api.v2.sslsecure2.com udp
US 8.8.8.8:53 api.v2.sslsecure3.com udp
US 8.8.8.8:53 api.v2.sslsecure4.com udp
US 8.8.8.8:53 api.v2.sslsecure5.com udp
US 8.8.8.8:53 api.v2.sslsecure6.com udp
US 8.8.8.8:53 api.v2.sslsecure7.com udp
US 8.8.8.8:53 api.v2.sslsecure8.com udp
US 8.8.8.8:53 api.v2.sslsecure9.com udp
US 8.8.8.8:53 api.v2.sslsecure10.com udp
FI 193.166.255.171:80 api.v2.sslsecure1.com tcp
FI 193.166.255.171:80 api.v2.sslsecure1.com tcp
FI 193.166.255.171:80 api.v2.sslsecure1.com tcp
FI 193.166.255.171:80 api.v2.sslsecure1.com tcp

Files

\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe

MD5 cafb07e48d2737d53e876ae48a05e4c4
SHA1 de510cd044ae9ae3bb4f47de40f6e7d34f0ada61
SHA256 b3f57f8669dd45536c78000b35d7144504d2ddac0eb6a526206068c91e0062bd
SHA512 4f2eb0843a4fcb74c6bcbcd58b27f16d394e49a81b5c7aa4f2a67d2ea82b04e6cb32035c5933045d925b50fcabbe8211b8d90c3e65c65031a0fdac189bcca802

memory/2368-7-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2368-8-0x0000000000870000-0x00000000008B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\parent.txt

MD5 a3528c863eae765001ffaca41052d589
SHA1 0f178d6e483c40f10574344ff23d558c6b85d92d
SHA256 55ac0ad40cd8d7f3d7bbe57e58358531dba087a4b53fdaf0a4e1cd00025a4394
SHA512 a7fe701f72a387fba9314c5bab62615466d5c3c0b999896253f7871ee6818eacb0afbb36e2087b306ae78c01458da560bebd748ca4365d3680589d5a1714580c

memory/2368-17-0x0000000021450000-0x0000000021BF6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:16

Reported

2024-06-13 01:18

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3528c863eae765001ffaca41052d589_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe

"C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 dtrack.secdls.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wrgyfexvodhojl.exe

MD5 cafb07e48d2737d53e876ae48a05e4c4
SHA1 de510cd044ae9ae3bb4f47de40f6e7d34f0ada61
SHA256 b3f57f8669dd45536c78000b35d7144504d2ddac0eb6a526206068c91e0062bd
SHA512 4f2eb0843a4fcb74c6bcbcd58b27f16d394e49a81b5c7aa4f2a67d2ea82b04e6cb32035c5933045d925b50fcabbe8211b8d90c3e65c65031a0fdac189bcca802

memory/1480-2-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-3-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-4-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

memory/1480-5-0x000000001B8F0000-0x000000001B934000-memory.dmp

memory/1480-6-0x000000001BE00000-0x000000001C2CE000-memory.dmp

memory/1480-7-0x000000001C370000-0x000000001C40C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\parent.txt

MD5 a3528c863eae765001ffaca41052d589
SHA1 0f178d6e483c40f10574344ff23d558c6b85d92d
SHA256 55ac0ad40cd8d7f3d7bbe57e58358531dba087a4b53fdaf0a4e1cd00025a4394
SHA512 a7fe701f72a387fba9314c5bab62615466d5c3c0b999896253f7871ee6818eacb0afbb36e2087b306ae78c01458da560bebd748ca4365d3680589d5a1714580c

memory/1480-11-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-10-0x000000001B640000-0x000000001B648000-memory.dmp

memory/1480-12-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-13-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-14-0x000000001FA60000-0x000000001FAC2000-memory.dmp

memory/1480-15-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp

memory/1480-26-0x0000000021FB0000-0x0000000022756000-memory.dmp

memory/1480-27-0x00007FFF7A130000-0x00007FFF7A3F9000-memory.dmp