Malware Analysis Report

2024-11-15 05:24

Sample ID 240613-fw4znsvgqa
Target a3f02b28e723d18556396300ec0db7d3_JaffaCakes118
SHA256 449e8c0dbb25b3b4c393f4e3f761ba0c9b05e63f00e27fc65b406703bd1c4346
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

449e8c0dbb25b3b4c393f4e3f761ba0c9b05e63f00e27fc65b406703bd1c4346

Threat Level: Shows suspicious behavior

The file a3f02b28e723d18556396300ec0db7d3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Checks installed software on the system

Maps connected drives based on registry

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:14

Reported

2024-06-13 05:16

Platform

win7-20240611-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c1.getapplicationmy.info udp
US 8.8.8.8:53 r1.getapplicationmy.info udp
GB 94.229.72.123:80 c1.getapplicationmy.info tcp
US 207.244.76.131:80 r1.getapplicationmy.info tcp
US 8.8.8.8:53 c2.getapplicationmy.info udp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 8.8.8.8:53 r2.getapplicationmy.info udp
GB 94.229.72.123:80 r2.getapplicationmy.info tcp
GB 94.229.72.123:80 r2.getapplicationmy.info tcp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
GB 94.229.72.123:80 r2.getapplicationmy.info tcp
US 207.244.76.131:80 c2.getapplicationmy.info tcp

Files

\Users\Admin\AppData\Local\Temp\Tsu7F198CCA.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

\Users\Admin\AppData\Local\Temp\{C2D2F786-50CD-4F6C-AD87-18EF1931D570}\_Setup.dll

MD5 a475792794328d8a503568cbe38e8531
SHA1 47e5c4857f272898ed515e939f92cb9243b2ce2e
SHA256 2cd6c67a711059c2245615d80ee0e7d44a003b66d5577513b1dfb1bd7f1e7312
SHA512 3ea14ace569233dd69e730b4dfae4f1292d2e950aa26aceeae78715d0831ff6919d1bbf7c70ec256dd8a5db7f2d09ea4f29a564c125b54fdf8c7de2c78631184

\Users\Admin\AppData\Local\Temp\{C2D2F786-50CD-4F6C-AD87-18EF1931D570}\Custom.dll

MD5 736682c6d96bb1edc84e77041faae33d
SHA1 f8f6e20cd2aa23010b85ea289c3bc3cbdbc9ae26
SHA256 54346f2e36bdb512ef4f7d702f18e59a746f0b936786bc76a30e87de0a061f17
SHA512 fe24353f0f4acafbde7d8cec7a5078668f5e6cd0b06c3e0c96cb3fed0beb3c8af2becb1d97fcbb369ac38193827c8d8a440694c79b5da3180224377e38f53777

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:14

Reported

2024-06-13 05:16

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f02b28e723d18556396300ec0db7d3_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.getapplicationmy.info udp
US 8.8.8.8:53 c1.getapplicationmy.info udp
GB 94.229.72.123:80 r1.getapplicationmy.info tcp
US 207.244.76.131:80 c1.getapplicationmy.info tcp
US 8.8.8.8:53 r2.getapplicationmy.info udp
GB 94.229.72.123:80 r2.getapplicationmy.info tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 123.72.229.94.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 c2.getapplicationmy.info udp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 131.76.244.207.in-addr.arpa udp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 207.244.76.131:80 c2.getapplicationmy.info tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\Tsu7B97F25D.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

C:\Users\Admin\AppData\Local\Temp\{2C34E789-9D33-48D0-AA3B-D511F7D7C57F}\_Setup.dll

MD5 a475792794328d8a503568cbe38e8531
SHA1 47e5c4857f272898ed515e939f92cb9243b2ce2e
SHA256 2cd6c67a711059c2245615d80ee0e7d44a003b66d5577513b1dfb1bd7f1e7312
SHA512 3ea14ace569233dd69e730b4dfae4f1292d2e950aa26aceeae78715d0831ff6919d1bbf7c70ec256dd8a5db7f2d09ea4f29a564c125b54fdf8c7de2c78631184

C:\Users\Admin\AppData\Local\Temp\{2C34E789-9D33-48D0-AA3B-D511F7D7C57F}\Custom.dll

MD5 736682c6d96bb1edc84e77041faae33d
SHA1 f8f6e20cd2aa23010b85ea289c3bc3cbdbc9ae26
SHA256 54346f2e36bdb512ef4f7d702f18e59a746f0b936786bc76a30e87de0a061f17
SHA512 fe24353f0f4acafbde7d8cec7a5078668f5e6cd0b06c3e0c96cb3fed0beb3c8af2becb1d97fcbb369ac38193827c8d8a440694c79b5da3180224377e38f53777