Malware Analysis Report

2025-01-18 01:09

Sample ID 240613-g89lcs1gll
Target a434b7b44fb85747906dace0bd727cb2_JaffaCakes118
SHA256 36f0269e398ecd7bddbb888c02a52931956db56900e7a4eac4fe28fc73922de2
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36f0269e398ecd7bddbb888c02a52931956db56900e7a4eac4fe28fc73922de2

Threat Level: Shows suspicious behavior

The file a434b7b44fb85747906dace0bd727cb2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 06:32

Platform

win7-20240508-en

Max time kernel

144s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe
PID 2480 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe
PID 2480 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe
PID 2480 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe
PID 2480 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2480 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2480 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2480 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe

"C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe" -y -pB39AC11C-D47C-4D56-9930-8C4F4F603C86

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\start.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp

Files

\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe

MD5 3749b22795cd43612be594d718c10802
SHA1 8e3aca013f9e3ea42f22c63a80c6f4273939dda0
SHA256 aa6321c54d6912d33bc43c5f7f01fa86e20547fe9e5075f223e2002b2676a6ec
SHA512 1e45c68b172cbd8ad890b4b232b74b0db2363e0eef12f440b0e369d760885ca0392d6de4ab7f7db211e1840f776a12a6cd2b0f66d97718525348ea28500edad9

C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\lib92437.dll

MD5 2dbd78a63dfb379b5afd044e66b5594d
SHA1 4c0595fa79093c3783ac2dd001c81ce3eacbba7e
SHA256 97ccdb25d92977f52096b5d8b52d4f799d72bd81d471390907e0571631490e4c
SHA512 1c8da2a4fc25fd2e7f1360d02fc5a138aaf8ce1ea5804ce683cafdae88897f1035b472ae35843338556909c4704da9a5ab5ed2749a87fbda9381f6f1cf3e0c00

C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\start.hta

MD5 9bbdda852677117290a7a3f130638079
SHA1 48390e93abf77599ae64023160cb8ae143189777
SHA256 6e8fcc04c8bf6e07448f7bd47cb304f374873045355b66e160db965ca9685f34
SHA512 1d94b9074ac16cc84b76209a258313282437019838c6b759f8e1c9a665ea104b1e5d197c42b5896b4d89fe7087501017d13a5912272084592c5a218dc635aaa9

C:\Users\Admin\AppData\Local\Temp\c0ef9d79-1d3d-4d46-8c99-ebb0a49cd7a5\loader.gif

MD5 e88ebd85dd56110ac6ea93fe0922988e
SHA1 684a31d864d33ff736234c41ac4e8d2c7f90d5ae
SHA256 379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb
SHA512 211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 06:32

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a434b7b44fb85747906dace0bd727cb2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe

"C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe" -y -pB39AC11C-D47C-4D56-9930-8C4F4F603C86

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\start.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\9CD484C3-24C4-437D-81F9-E0CC0D0DA816.exe

MD5 3749b22795cd43612be594d718c10802
SHA1 8e3aca013f9e3ea42f22c63a80c6f4273939dda0
SHA256 aa6321c54d6912d33bc43c5f7f01fa86e20547fe9e5075f223e2002b2676a6ec
SHA512 1e45c68b172cbd8ad890b4b232b74b0db2363e0eef12f440b0e369d760885ca0392d6de4ab7f7db211e1840f776a12a6cd2b0f66d97718525348ea28500edad9

C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\lib92437.dll

MD5 2dbd78a63dfb379b5afd044e66b5594d
SHA1 4c0595fa79093c3783ac2dd001c81ce3eacbba7e
SHA256 97ccdb25d92977f52096b5d8b52d4f799d72bd81d471390907e0571631490e4c
SHA512 1c8da2a4fc25fd2e7f1360d02fc5a138aaf8ce1ea5804ce683cafdae88897f1035b472ae35843338556909c4704da9a5ab5ed2749a87fbda9381f6f1cf3e0c00

C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\start.hta

MD5 9bbdda852677117290a7a3f130638079
SHA1 48390e93abf77599ae64023160cb8ae143189777
SHA256 6e8fcc04c8bf6e07448f7bd47cb304f374873045355b66e160db965ca9685f34
SHA512 1d94b9074ac16cc84b76209a258313282437019838c6b759f8e1c9a665ea104b1e5d197c42b5896b4d89fe7087501017d13a5912272084592c5a218dc635aaa9

C:\Users\Admin\AppData\Local\Temp\6a63c64a-abc2-4063-998c-ccad320c6349\loader.gif

MD5 e88ebd85dd56110ac6ea93fe0922988e
SHA1 684a31d864d33ff736234c41ac4e8d2c7f90d5ae
SHA256 379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb
SHA512 211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7