Malware Analysis Report

2024-10-10 12:13

Sample ID 240613-t9h61s1bjj
Target a69120fea6bc38fb77f4427a6260e970_JaffaCakes118
SHA256 bec1b9f3fe45c9be0a1c9b68cad434fc18f99d267bece9afd1f4a5a9c7c6458d
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bec1b9f3fe45c9be0a1c9b68cad434fc18f99d267bece9afd1f4a5a9c7c6458d

Threat Level: Shows suspicious behavior

The file a69120fea6bc38fb77f4427a6260e970_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 16:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 16:45

Reported

2024-06-13 16:47

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1244 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

Network

N/A

Files

memory/2512-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2512-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-16-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 16:45

Reported

2024-06-13 16:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 1336 N/A C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Users\Admin\AppData\Local\Temp\a69120fea6bc38fb77f4427a6260e970_JaffaCakes118.exe"

Network

Files

memory/1336-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1336-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1336-3-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1336-7-0x0000000000400000-0x0000000000412000-memory.dmp