Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-e4sqyaxgnp
Target a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118
SHA256 8e2aa6984e3a2000d4bbb71717233a8160f526b22eff47c950e148e567f360ed
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8e2aa6984e3a2000d4bbb71717233a8160f526b22eff47c950e148e567f360ed

Threat Level: Shows suspicious behavior

The file a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:30

Reported

2024-06-13 04:32

Platform

win7-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zyov = "C:\\Users\\Admin\\AppData\\Roaming\\Ipbahy\\zyov.exe" C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1008 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
PID 1008 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
PID 1008 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
PID 1008 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
PID 1444 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\Dwm.exe
PID 1444 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\Dwm.exe
PID 1444 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\Dwm.exe
PID 1444 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\Dwm.exe
PID 1444 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\Dwm.exe
PID 1444 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\taskhost.exe
PID 1444 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\taskhost.exe
PID 1444 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\taskhost.exe
PID 1444 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\taskhost.exe
PID 1444 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\system32\taskhost.exe
PID 1444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\Explorer.EXE
PID 1444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\Explorer.EXE
PID 1444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\Explorer.EXE
PID 1444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\Explorer.EXE
PID 1444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Windows\Explorer.EXE
PID 1444 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
PID 1444 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
PID 1444 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
PID 1444 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
PID 1444 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe

"C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VUP2799.bat"

Network

Country Destination Domain Proto
AR 190.179.253.53:18051 udp
TR 78.165.211.41:29549 udp
US 99.97.73.189:29677 udp
BA 77.78.226.228:22815 udp
KR 211.209.241.213:16882 udp
PE 181.67.50.91:27916 udp
GE 94.137.183.172:25507 udp
IT 82.50.43.212:22899 udp
KZ 176.222.162.187:28019 udp
US 76.226.112.216:24591 udp
IT 79.26.33.220:13139 udp
DE 178.203.226.84:19014 udp
RO 89.122.155.200:16926 udp
US 99.159.193.22:14891 udp
BE 87.66.14.62:21608 udp
US 108.215.44.142:20626 udp
PL 83.31.155.124:22916 udp
US 8.8.8.8:53 www.google.com udp

Files

memory/1008-0-0x0000000000405000-0x0000000000406000-memory.dmp

memory/1008-1-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1008-2-0x0000000000400000-0x0000000000451000-memory.dmp

\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe

MD5 0cad14653c713f1aa305a48097a146d9
SHA1 9c75d1675fd6beacf1c449b909680d5278b94191
SHA256 a0ee91feaaccfe8f6695b7212072b4c2f6b3737d73c04c783479618bb87a0d35
SHA512 b1ec36fd1749bf53210addbc7f44a8c8706412f00d781d14109f73dea55cbe4d925295048127fd9e6c4069aed3bc2c1e4a3e692a53b83b4debb895eca868ef6a

memory/1444-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-16-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1008-14-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-15-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1036-23-0x00000000022B0000-0x00000000022F8000-memory.dmp

memory/1036-21-0x00000000022B0000-0x00000000022F8000-memory.dmp

memory/1008-53-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-52-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-51-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-50-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-49-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-48-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1008-47-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1008-46-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1008-55-0x0000000000550000-0x0000000000598000-memory.dmp

memory/2484-63-0x0000000000050000-0x0000000000098000-memory.dmp

memory/2484-62-0x0000000000050000-0x0000000000098000-memory.dmp

memory/2484-61-0x0000000000050000-0x0000000000098000-memory.dmp

memory/2484-59-0x0000000000050000-0x0000000000098000-memory.dmp

memory/1008-54-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1008-65-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1008-45-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1008-44-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1008-43-0x0000000000550000-0x0000000000598000-memory.dmp

memory/1116-41-0x0000000002ED0000-0x0000000002F18000-memory.dmp

memory/1116-40-0x0000000002ED0000-0x0000000002F18000-memory.dmp

memory/1116-39-0x0000000002ED0000-0x0000000002F18000-memory.dmp

memory/1064-35-0x00000000020E0000-0x0000000002128000-memory.dmp

memory/2484-69-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-75-0x0000000077140000-0x0000000077141000-memory.dmp

memory/2484-73-0x0000000000050000-0x0000000000098000-memory.dmp

memory/2484-72-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-70-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-68-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-67-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2484-77-0x0000000000050000-0x0000000000098000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VUP2799.bat

MD5 ea03e3af3cd85e601242c1fa7a57eb17
SHA1 973c77f82b44116de152e4134dbe8e1f3ac3706c
SHA256 ff6ad21b96d4f38fe09ff0c23ac54590d956e5be9db2df88cd40767b66d957f8
SHA512 121bf2fb7e6b56864c29ff149f8cc12440e3899b6abd596ea6ee98b2f6679ec38fd4c2ee6594c38ca76421d0cdf69257091d3509f93184fe4b75eac338ab6b5d

memory/2484-66-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/1064-33-0x00000000020E0000-0x0000000002128000-memory.dmp

memory/1064-31-0x00000000020E0000-0x0000000002128000-memory.dmp

memory/1064-29-0x00000000020E0000-0x0000000002128000-memory.dmp

memory/1036-25-0x00000000022B0000-0x00000000022F8000-memory.dmp

memory/1036-19-0x00000000022B0000-0x00000000022F8000-memory.dmp

memory/1116-38-0x0000000002ED0000-0x0000000002F18000-memory.dmp

memory/1036-17-0x00000000022B0000-0x00000000022F8000-memory.dmp

memory/1444-79-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-80-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-81-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-82-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-83-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-84-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1444-85-0x0000000000400000-0x0000000000451000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:30

Reported

2024-06-13 04:32

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 440

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A