Malware Analysis Report

2024-11-15 05:27

Sample ID 240613-br5yyssfmm
Target a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118
SHA256 b32eabfffa4d397b1c9b76e9a5d9f84221a24723a94efbd994d952fd86b4b3c4
Tags
discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b32eabfffa4d397b1c9b76e9a5d9f84221a24723a94efbd994d952fd86b4b3c4

Threat Level: Shows suspicious behavior

The file a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:23

Reported

2024-06-13 01:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe"

Network

Country Destination Domain Proto
UA 78.30.251.84:80 tcp
UA 176.37.244.88:80 tcp
UA 176.103.16.89:80 tcp
KR 14.44.26.89:80 tcp
MD 46.55.67.89:80 tcp
UA 176.111.42.141:80 tcp
UA 109.95.35.142:80 tcp
RO 188.173.99.143:80 tcp
UA 109.86.140.145:80 tcp
RO 188.27.90.147:80 tcp
UA 5.248.173.56:80 tcp
RU 195.211.252.56:80 tcp
MD 89.41.65.57:80 tcp
UA 77.121.145.57:80 tcp
RO 188.173.164.58:80 tcp
YE 188.209.226.8:80 tcp
UA 94.154.238.9:80 tcp
UA 109.87.242.9:80 tcp
CL 179.56.103.10:80 tcp
RU 92.252.232.10:80 tcp
UA 94.158.94.111:80 tcp
UA 109.108.255.111:80 tcp
UA 109.86.154.114:80 tcp
HR 188.252.255.115:80 tcp
RU 46.172.199.117:80 tcp
UA 91.247.91.160:80 tcp
UA 46.185.116.162:80 tcp
CO 161.10.228.162:80 tcp
GE 178.236.62.163:80 tcp
UA 178.54.142.164:80 tcp
UA 178.150.167.110:80 tcp
NL 85.17.31.111:80 tcp
UA 94.154.37.111:80 tcp
CN 61.234.32.119:80 tcp
UA 178.74.215.119:80 tcp
UA 94.154.37.111:80 tcp
KZ 176.98.196.80:80 tcp
HR 109.60.69.91:80 tcp
RO 85.186.67.92:80 tcp
UA 62.149.10.94:80 tcp
UA 217.30.193.95:80 tcp
N/A 127.0.0.1:49238 tcp
N/A 212.92.246.183:80 tcp
N/A 188.240.120.184:80 tcp
N/A 194.38.99.187:80 tcp
N/A 109.162.31.189:80 tcp
N/A 46.150.86.191:80 tcp

Files

memory/1688-0-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/1688-1-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/1688-3-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/1688-13-0x0000000000400000-0x0000000001BD5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:23

Reported

2024-06-13 01:26

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a358ee59fc0931f1ae2eae134e7b2959_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
UA 78.30.251.84:80 tcp
UA 176.37.244.88:80 tcp
UA 176.103.16.89:80 tcp
KR 14.44.26.89:80 tcp
MD 46.55.67.89:80 tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
UA 176.111.42.141:80 tcp
UA 109.95.35.142:80 tcp
RO 188.173.99.143:80 tcp
UA 109.86.140.145:80 tcp
RO 188.27.90.147:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
UA 5.248.173.56:80 tcp
RU 195.211.252.56:80 tcp
MD 89.41.65.57:80 tcp
UA 77.121.145.57:80 tcp
RO 188.173.164.58:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
YE 188.209.226.8:80 tcp
UA 94.154.238.9:80 tcp
UA 109.87.242.9:80 tcp
CL 179.56.103.10:80 tcp
RU 92.252.232.10:80 tcp
UA 94.158.94.111:80 tcp
UA 109.108.255.111:80 tcp
UA 109.86.154.114:80 tcp
HR 188.252.255.115:80 tcp
RU 46.172.199.117:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
UA 91.247.91.160:80 tcp
UA 46.185.116.162:80 tcp
CO 161.10.228.162:80 tcp
GE 178.236.62.163:80 tcp
UA 178.54.142.164:80 tcp
UA 178.150.167.110:80 tcp
NL 85.17.31.111:80 tcp
UA 94.154.37.111:80 tcp
CN 61.234.32.119:80 tcp
UA 178.74.215.119:80 tcp
N/A 127.0.0.1:51674 tcp
UA 94.154.37.111:80 tcp
US 8.8.8.8:53 111.37.154.94.in-addr.arpa udp

Files

memory/3284-0-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/3284-1-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/3284-4-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/3284-13-0x0000000000400000-0x0000000001BD5000-memory.dmp