Malware Analysis Report

2025-01-18 00:54

Sample ID 240613-lrasxstcjg
Target a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118
SHA256 0f7b91904b6905c785451b5f41a8a2fa276451ac98a70ec44e2ded6a6c423d55
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0f7b91904b6905c785451b5f41a8a2fa276451ac98a70ec44e2ded6a6c423d55

Threat Level: Shows suspicious behavior

The file a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:45

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:45

Reported

2024-06-13 09:48

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\s.cmd

Network

N/A

Files

memory/2068-0-0x0000000000400000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s.cmd

MD5 8d76026c923c121fafb0b0cf7a893af5
SHA1 ec71c4ff1ffbdbb69ac766ae41b837f9bb3ba5a2
SHA256 14157111110afbfb93a20a87e89601ad8d999baed31a1c798fa4f3b7021314a8
SHA512 03e8114d7df1a874fe949d5cda806273b981fc273c84d595d38559c6c9b530d125f0dfb676973e7d00f69095ade71524a143b06ba8d002290835cbab662285a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 09:45

Reported

2024-06-13 09:48

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\s.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/620-0-0x0000000000400000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s.cmd

MD5 8d76026c923c121fafb0b0cf7a893af5
SHA1 ec71c4ff1ffbdbb69ac766ae41b837f9bb3ba5a2
SHA256 14157111110afbfb93a20a87e89601ad8d999baed31a1c798fa4f3b7021314a8
SHA512 03e8114d7df1a874fe949d5cda806273b981fc273c84d595d38559c6c9b530d125f0dfb676973e7d00f69095ade71524a143b06ba8d002290835cbab662285a6