Malware Analysis Report

2024-11-13 13:35

Sample ID 240613-kqlncs1gqg
Target a4b31430be906470eafa8846db67543d_JaffaCakes118
SHA256 1ba533d70a278927e49d638c2c5249cd7a280e3d730920c23e21a843359840fa
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1ba533d70a278927e49d638c2c5249cd7a280e3d730920c23e21a843359840fa

Threat Level: Shows suspicious behavior

The file a4b31430be906470eafa8846db67543d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:48

Reported

2024-06-13 08:51

Platform

win7-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 2224 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
PL 83.16.95.2:80 tcp
RS 95.180.67.140:80 tcp
US 93.79.248.25:80 tcp
UA 77.122.94.210:80 tcp
UA 109.87.233.72:80 tcp
UA 46.185.71.249:80 tcp
UA 5.1.29.8:80 tcp
DE 188.192.192.8:80 tcp
UA 77.123.9.65:80 tcp
UA 46.119.253.225:80 tcp
UA 94.153.12.248:80 tcp
LV 212.142.115.80:80 tcp
MD 89.28.88.197:80 tcp
RU 212.193.48.220:80 212.193.48.220 tcp
RU 79.165.27.197:80 tcp

Files

memory/2224-0-0x0000000000250000-0x0000000000254000-memory.dmp

memory/1776-1-0x00000000001B0000-0x00000000002AA000-memory.dmp

memory/1776-5-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1776-16-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-12-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-15-0x0000000000406000-0x0000000000408000-memory.dmp

memory/1776-7-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-11-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-4-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-13-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-14-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-17-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1776-18-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-19-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-20-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-22-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-25-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-29-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-30-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1776-31-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:48

Reported

2024-06-13 08:50

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
PID 1264 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3888,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

Network

Country Destination Domain Proto
JP 118.9.74.117:80 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 225.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 5.105.39.19:80 tcp
UA 77.123.9.65:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
UA 188.231.243.64:80 tcp
US 5.105.69.96:80 tcp
JP 122.196.86.35:80 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
UA 77.122.94.210:80 tcp
KZ 37.151.90.200:80 tcp
UA 89.252.41.203:80 tcp
US 66.168.148.194:80 tcp
UA 176.8.210.196:80 tcp
RO 83.166.221.233:80 tcp
UA 176.37.114.174:80 tcp
PL 78.88.59.196:80 tcp

Files

memory/1264-1-0x0000000002690000-0x0000000002694000-memory.dmp

memory/1896-2-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1896-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-3-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1896-7-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1896-6-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1896-8-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-10-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-11-0x0000000000400000-0x0000000002728000-memory.dmp

memory/1896-13-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-16-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-17-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-18-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-19-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-20-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-22-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-23-0x0000000000400000-0x0000000000409000-memory.dmp