Malware Analysis Report

2025-01-18 00:13

Sample ID 240613-qwkwxavfmp
Target a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118
SHA256 a192c0ae6557b92a413f8457980c1d6f931182481c01bbac4d4eef4178c80e32
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a192c0ae6557b92a413f8457980c1d6f931182481c01bbac4d4eef4178c80e32

Threat Level: Shows suspicious behavior

The file a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:36

Reported

2024-06-13 13:39

Platform

win7-20240508-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe
PID 2068 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe
PID 2068 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe
PID 2068 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe

"C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe" -y -p24209C29-927D-4216-9B7E-2304351D788C

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\\21b8a52a-6873-4b40-8b87-f28538348dd9\\start.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp

Files

\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe

MD5 069687d64f5ea09d060799c132243f15
SHA1 13b9041fd970aea78c2eac9e664e0e18b7956548
SHA256 90252a4cc1ceb2c78b65bb4833b83a5ee81600a27ea337f908d16bbcb7018c16
SHA512 7ed2b27e808c46723f56a064bea544bb45476304900dd9dbc5ccb4891dc3e288117eb2cb218fb9b6351296e1a5dcc5a7029ceb47f9bbac0e69376064fd831906

C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\start.hta

MD5 580c0c72b17ffcb9a626356f7393d89c
SHA1 7a5e408abd57f8e2cc6f4fdd7f116fac04eb8a83
SHA256 879b0caf66aca0fc0f9558a09d86480a64bf34cacd5094a572d779a6d65bf00b
SHA512 9fc56f0916b75e03bca8654a2243fc0063a5baece46f648d67cb6f1876aa6aedebc55c1f1458baf2b2883ab1ec91973b6099918aae3269b91b76e627d6b19dac

C:\Users\Admin\AppData\Local\Temp\21b8a52a-6873-4b40-8b87-f28538348dd9\loader.gif

MD5 e88ebd85dd56110ac6ea93fe0922988e
SHA1 684a31d864d33ff736234c41ac4e8d2c7f90d5ae
SHA256 379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb
SHA512 211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:36

Reported

2024-06-13 13:39

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5d20f66e09e66adb20ddfdc003dc87e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe

"C:\Users\Admin\AppData\Local\Temp\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe" -y -p24209C29-927D-4216-9B7E-2304351D788C

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\\start.hta

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 service.srvmd7.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\22960FD3-14E8-4DA4-B78A-B582DCDD0797.exe

MD5 069687d64f5ea09d060799c132243f15
SHA1 13b9041fd970aea78c2eac9e664e0e18b7956548
SHA256 90252a4cc1ceb2c78b65bb4833b83a5ee81600a27ea337f908d16bbcb7018c16
SHA512 7ed2b27e808c46723f56a064bea544bb45476304900dd9dbc5ccb4891dc3e288117eb2cb218fb9b6351296e1a5dcc5a7029ceb47f9bbac0e69376064fd831906

C:\Users\Admin\AppData\Local\Temp\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\start.hta

MD5 580c0c72b17ffcb9a626356f7393d89c
SHA1 7a5e408abd57f8e2cc6f4fdd7f116fac04eb8a83
SHA256 879b0caf66aca0fc0f9558a09d86480a64bf34cacd5094a572d779a6d65bf00b
SHA512 9fc56f0916b75e03bca8654a2243fc0063a5baece46f648d67cb6f1876aa6aedebc55c1f1458baf2b2883ab1ec91973b6099918aae3269b91b76e627d6b19dac

C:\Users\Admin\AppData\Local\Temp\94b68ad7-b2a6-4d89-b6e6-81eae362ee55\loader.gif

MD5 e88ebd85dd56110ac6ea93fe0922988e
SHA1 684a31d864d33ff736234c41ac4e8d2c7f90d5ae
SHA256 379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb
SHA512 211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7