Malware Analysis Report

2025-01-18 02:07

Sample ID 240613-jgxhtstdlr
Target a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118
SHA256 953f88c966faf3a247eb0ca79aecc69575783e06588cd65e7b3ca4efa95d3029
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

953f88c966faf3a247eb0ca79aecc69575783e06588cd65e7b3ca4efa95d3029

Threat Level: Shows suspicious behavior

The file a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:38

Reported

2024-06-13 07:41

Platform

win7-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 api.v2.secdls.com udp
US 8.8.8.8:53 staticrr.paleokits.net udp
US 8.8.8.8:53 staticrr.sslsecure1.com udp
US 8.8.8.8:53 staticrr.sslsecure2.com udp
US 8.8.8.8:53 staticrr.sslsecure3.com udp
US 8.8.8.8:53 staticrr.sslsecure4.com udp
US 8.8.8.8:53 staticrr.sslsecure5.com udp
US 8.8.8.8:53 staticrr.sslsecure6.com udp
US 8.8.8.8:53 staticrr.sslsecure7.com udp
US 8.8.8.8:53 staticrr.sslsecure8.com udp
US 8.8.8.8:53 staticrr.sslsecure9.com udp

Files

memory/1280-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

\Users\Admin\AppData\Local\Temp\bhs24DF.tmp

MD5 650be658621de5c2f84523f695b7605d
SHA1 3f26830b119f0c9448513741fd13e0ea130b5ee2
SHA256 8194a031bd3d0b409e91d572ee1de54e6cd02b10598f5d47aa2287245c232936
SHA512 9e7af3d5a428b776f4c76b6178f1ee69f9641caf36fc44a2898c325e53ddbf4f1dfcc8d64b7825d022fbc52e727d2465166f3365909d87af2ddfea1b649ea463

memory/1280-3-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1280-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-6-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-8-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-7-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/1280-10-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-11-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-12-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1280-14-0x000000000AD20000-0x000000000B4C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:38

Reported

2024-06-13 07:41

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4769d62ca0a6e20f786648d7fbac60a_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtrack.secdls.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 api.v2.secdls.com udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4700-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhs3856.tmp

MD5 650be658621de5c2f84523f695b7605d
SHA1 3f26830b119f0c9448513741fd13e0ea130b5ee2
SHA256 8194a031bd3d0b409e91d572ee1de54e6cd02b10598f5d47aa2287245c232936
SHA512 9e7af3d5a428b776f4c76b6178f1ee69f9641caf36fc44a2898c325e53ddbf4f1dfcc8d64b7825d022fbc52e727d2465166f3365909d87af2ddfea1b649ea463

memory/4700-3-0x00000000052A0000-0x00000000052E2000-memory.dmp

memory/4700-4-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/4700-5-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4700-6-0x0000000005570000-0x0000000005602000-memory.dmp

memory/4700-7-0x0000000005550000-0x000000000555A000-memory.dmp

memory/4700-8-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4700-9-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4700-10-0x0000000008D40000-0x0000000008DA6000-memory.dmp

memory/4700-11-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4700-20-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/4700-21-0x0000000074EA0000-0x0000000075650000-memory.dmp