Malware Analysis Report

2025-01-18 02:04

Sample ID 240613-jdehvazamc
Target a4711b4cb8086b31413fa065c79a424d_JaffaCakes118
SHA256 8f75100bdd9049c1438239b5c4157db194a5757dce49f0a3395414fcf991d5ca
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8f75100bdd9049c1438239b5c4157db194a5757dce49f0a3395414fcf991d5ca

Threat Level: Shows suspicious behavior

The file a4711b4cb8086b31413fa065c79a424d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 3660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4476 wrote to memory of 3660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4476 wrote to memory of 3660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 612

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 236

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1120 -ip 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.trackpixl.com udp

Files

\Users\Admin\AppData\Local\Temp\nsoDE8.tmp\nsWeb.dll

MD5 84bcf3c71e70d5a6e9dc07d70466bdc3
SHA1 31603a1afc2d767a3392d363ff61533beaa25359
SHA256 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf
SHA512 61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.trackpixl.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsg88BA.tmp\nsWeb.dll

MD5 84bcf3c71e70d5a6e9dc07d70466bdc3
SHA1 31603a1afc2d767a3392d363ff61533beaa25359
SHA256 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf
SHA512 61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e