Malware Analysis Report

2025-01-18 00:17

Sample ID 240613-l93awsyckj
Target a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118
SHA256 34b6799f07c656918d96639d13b299b26ee7b592629d217438eff8b4b277d1fb
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

34b6799f07c656918d96639d13b299b26ee7b592629d217438eff8b4b277d1fb

Threat Level: Likely malicious

The file a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary


Blocklisted process makes network request

Unexpected DNS network traffic destination

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:14

Reported

2024-06-13 10:17

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 109.69.8.34 N/A N/A
Destination IP 5.135.183.146 N/A N/A
Destination IP 151.80.147.153 N/A N/A
Destination IP 212.73.150.183 N/A N/A
Destination IP 185.190.82.182 N/A N/A
Destination IP 188.165.200.156 N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FB3610A5-217B-46D0-BEEE-057FF1FC40AD} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host

Network

Country Destination Domain Proto
US 8.8.8.8:53 namecha.in udp
BG 212.73.150.183:53 tcp
ES 109.69.8.34:53 tcp
FR 5.135.183.146:53 tcp
US 185.190.82.182:53 tcp
FR 151.80.147.153:53 tcp
FR 188.165.200.156:53 tcp
US 8.8.8.8:53 stat-counter-3-1.bit udp

Files

memory/376-0-0x0000000000400000-0x0000000000458000-memory.dmp

memory/376-1-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\27DB.tmp

MD5 0f09bcd355ac453606e8a2e953cd7c1e
SHA1 942cf739cca27ed8fd28d4b2c153033ffaa48e77
SHA256 8843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0
SHA512 e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc

memory/376-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/376-5-0x0000000002160000-0x0000000002161000-memory.dmp

memory/376-7-0x0000000000560000-0x00000000005C9000-memory.dmp

memory/376-8-0x0000000000560000-0x00000000005C9000-memory.dmp

memory/376-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/376-9-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/376-16-0x0000000000560000-0x00000000005C9000-memory.dmp

memory/376-17-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2768-20-0x0000000000740000-0x00000000007A9000-memory.dmp

memory/2768-21-0x0000000000740000-0x00000000007A9000-memory.dmp

memory/2768-22-0x00000000026A0000-0x00000000026A1000-memory.dmp

C:\ProgramData\ghbamjdm\0d0240c254ca

MD5 5b76b3f86d0e1f3f397c9f5cf4e2ae3c
SHA1 8acac8e96af0c85efa46a117efa028002dc53403
SHA256 84af7190bb4943e9acf8cc7acd64c54091c13195de7995f3ca1445054d4dbdec
SHA512 344e4a8da4e222cb78e1d3dd67835c3d5473a2d93b3cfec32ee1304ffa47ba17eeb5939bc8fe36e9da9d5034daa8d7a167442759340c0a61bc9e5978533d9900

C:\Users\Admin\AppData\Local\Temp\27DB.tmp

MD5 9a359c7a57a9af742c9e0aa59c047cfb
SHA1 017d90de87eab0b0c5b73e6eacbb5b637440d7f1
SHA256 309a1ec1fa3fbd4ecdfb2301df0991e43137f4bb8a57fd4831ac343d7f780bd5
SHA512 79b589508baa24b0078ef9ada55c887b97d02430d4c14533193150ba5e1335527c3b898063848d65c6038cb63e87ee2bd7d9678d75a35a5b3e79af78a7429acb

memory/2768-34-0x0000000000740000-0x00000000007A9000-memory.dmp

memory/2768-35-0x0000000000740000-0x00000000007A9000-memory.dmp

memory/2768-37-0x0000000000740000-0x00000000007A9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 10:14

Reported

2024-06-13 10:17

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 188.165.200.156 N/A N/A
Destination IP 109.69.8.34 N/A N/A
Destination IP 151.80.147.153 N/A N/A
Destination IP 5.135.183.146 N/A N/A
Destination IP 185.190.82.182 N/A N/A
Destination IP 212.73.150.183 N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4192 wrote to memory of 456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4192 wrote to memory of 456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host

Network

Country Destination Domain Proto
US 8.8.8.8:53 namecha.in udp
BG 212.73.150.183:53 tcp
FR 5.135.183.146:53 tcp
US 185.190.82.182:53 tcp
FR 188.165.200.156:53 tcp
ES 109.69.8.34:53 tcp
FR 151.80.147.153:53 tcp
US 8.8.8.8:53 stat-counter-3-1.bit udp

Files

memory/868-0-0x0000000000400000-0x0000000000458000-memory.dmp

memory/868-1-0x0000000002230000-0x0000000002231000-memory.dmp

memory/868-2-0x0000000000400000-0x0000000000458000-memory.dmp

memory/868-4-0x0000000002060000-0x0000000002061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50FE.tmp

MD5 0f09bcd355ac453606e8a2e953cd7c1e
SHA1 942cf739cca27ed8fd28d4b2c153033ffaa48e77
SHA256 8843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0
SHA512 e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc

memory/868-10-0x00000000020B0000-0x0000000002119000-memory.dmp

memory/868-11-0x00000000020B0000-0x0000000002119000-memory.dmp

memory/868-13-0x0000000002120000-0x0000000002121000-memory.dmp

memory/868-12-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/868-19-0x0000000000400000-0x0000000000458000-memory.dmp

memory/868-20-0x00000000020B0000-0x0000000002119000-memory.dmp

memory/456-23-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/456-25-0x0000000000AE0000-0x0000000000B49000-memory.dmp

memory/456-24-0x0000000000AE0000-0x0000000000B49000-memory.dmp

C:\ProgramData\bnbcifpe\f96874fcb6f5

MD5 b53babc887877ce234cbe7f47ac11ebf
SHA1 287ebfbc09d4e7b0d26c7b0d463ff3d3385279e5
SHA256 c43f8c0a671c3d87d81cbba8edc57fa728bfd68897739de491d2fedacc202f9e
SHA512 eb845fc70900050d6182a7b295a2022b89d07819bc797c97ebdfc4dfb52dd9e2dedd6b84be9b7e475a3e1254f29c99cac46ae1dad7833bd3d2c4fb4ac5f87103

C:\Users\Admin\AppData\Local\Temp\50FE.tmp

MD5 df832baef4c9a62a43fa19bac03ea73f
SHA1 1585e964afcc4ce759339c6f9cc6f5e3908f3bdc
SHA256 e011cf5a1c3fa9ce3f192ef87247a14465b419f02cbebf342af661de66a6a33e
SHA512 74c593819860f1ab87a85a9a8b9efc6045179760ef781790583383413004ca069d8f6aa185275c0e4618dc44a24b1ab45624b5c3b601e233999bf8ea1e14e839

memory/456-37-0x0000000000AE0000-0x0000000000B49000-memory.dmp

memory/456-39-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/456-38-0x0000000000AE0000-0x0000000000B49000-memory.dmp

memory/456-40-0x0000000000AE0000-0x0000000000B49000-memory.dmp

memory/456-46-0x0000000000AE0000-0x0000000000B49000-memory.dmp