Malware Analysis Report

2024-11-13 13:25

Sample ID 240613-gcfcmszdnr
Target a40718049568062a27a4b65fafc47f56_JaffaCakes118
SHA256 358acee4a278999b4e567c8af901b26c72103e3c52ccf3f768f08a9131125dc8
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

358acee4a278999b4e567c8af901b26c72103e3c52ccf3f768f08a9131125dc8

Threat Level: Shows suspicious behavior

The file a40718049568062a27a4b65fafc47f56_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Checks installed software on the system

Maps connected drives based on registry

Drops file in Windows directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:39

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:39

Reported

2024-06-13 05:41

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\WorkThatBody.job C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 allmodel-pro.com udp
US 8.8.8.8:53 fullset.link udp
US 8.8.8.8:53 parentmodel.biz udp
US 8.8.8.8:53 groupmodel.biz udp

Files

memory/1044-2-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1044-1-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/1044-0-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/1044-3-0x0000000001940000-0x0000000001969000-memory.dmp

memory/1044-4-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1044-9-0x0000000001940000-0x0000000001969000-memory.dmp

memory/1044-5-0x0000000004590000-0x00000000045BF000-memory.dmp

memory/1044-18-0x0000000001940000-0x0000000001969000-memory.dmp

memory/1044-14-0x0000000004D30000-0x0000000004D57000-memory.dmp

memory/1044-22-0x0000000001940000-0x0000000001969000-memory.dmp

memory/1044-25-0x0000000001940000-0x0000000001969000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:39

Reported

2024-06-13 05:41

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe N/A

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\WorkThatBody.job C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe

"C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fullset.link udp
US 8.8.8.8:53 allmodel-pro.com udp
US 204.11.56.48:80 allmodel-pro.com tcp
US 8.8.8.8:53 parentmodel.biz udp
US 8.8.8.8:53 groupmodel.biz udp

Files

memory/3044-1-0x0000000000030000-0x0000000000031000-memory.dmp

memory/3044-0-0x0000000000020000-0x0000000000021000-memory.dmp

memory/3044-2-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3044-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/3044-4-0x00000000001F0000-0x0000000000219000-memory.dmp

memory/3044-5-0x0000000000220000-0x000000000024F000-memory.dmp

memory/3044-9-0x00000000001F0000-0x0000000000219000-memory.dmp

memory/3044-16-0x00000000001F0000-0x0000000000219000-memory.dmp

memory/3044-12-0x0000000000650000-0x0000000000677000-memory.dmp

C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe

MD5 988c01d600dc52a6cce0bcc83a0d65da
SHA1 dde9bd780f93c69b8127227358b5ccb512b7f302
SHA256 04bf95d11f5af19c67eb15a46e16a2fb46c418e9d2da670a9854dac5e212ad10
SHA512 1a2acb5542d9ceb6eef30b43912aa219da8fd06e654c43a1dd9e5bf898abcc2c27ce3d59681b47ad5f683f21c4cf096b3794e8b6575dbb78a49aaf05eb9e11c1

memory/3044-25-0x00000000001F0000-0x0000000000219000-memory.dmp