Malware Analysis Report

2024-11-13 13:26

Sample ID 240614-b3mlrazglb
Target a793bbb66911494e6eaca057feb8be56_JaffaCakes118
SHA256 5c83829038032dfc81ba8c22bf705a28cd71f547f81a5f206a0d5d39aedad069
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5c83829038032dfc81ba8c22bf705a28cd71f547f81a5f206a0d5d39aedad069

Threat Level: Shows suspicious behavior

The file a793bbb66911494e6eaca057feb8be56_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Checks installed software on the system

Maps connected drives based on registry

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:40

Reported

2024-06-14 01:42

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.getapplicationmy.info udp
US 8.8.8.8:53 c1.downlloaddatamy.info udp
US 8.8.8.8:53 c2.downlloaddatamy.info udp
GB 94.229.72.121:80 r1.getapplicationmy.info tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp

Files

\Users\Admin\AppData\Local\Temp\Tsu2052AE82.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

\Users\Admin\AppData\Local\Temp\{25653D3E-F459-4C49-AEA2-BC7BFE861FC8}\_Setup.dll

MD5 b040c43d630d3740abefba186f46883b
SHA1 c3c498b0cc6d34423780e8285cb3dc998ce1c4a3
SHA256 dd6dd4df86f215bea1c5b68cb7677dee75cda6cbbbf39ac040d67c992f6146df
SHA512 a3e3305ce4925aee378b1a3ed3e58daa743990fe809ac1b3c90640a2fa53736133a8f16c6e8314b5f243ed1109d24e683142d45f1d502cf3714edd748b3c9f5c

\Users\Admin\AppData\Local\Temp\{25653D3E-F459-4C49-AEA2-BC7BFE861FC8}\Custom.dll

MD5 52ffb9f31fcf351bed204ed2fa781954
SHA1 7acb17bc45cf6edc71726e59fb8a1d37eca51a55
SHA256 eb99eb74c3736102b174d6d7ff9afaa43bab8ad4bccfac53bb4dbb80392aa1d4
SHA512 841c2683068522077d6f347c17d59815bf5f94015d6b539f6a3248c00bfb8a56360c2c7b3c8960dbda497e76fb88f8859bb5c1a7f80b24fe03dbf00db187f4b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:40

Reported

2024-06-14 01:42

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a793bbb66911494e6eaca057feb8be56_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.getapplicationmy.info udp
US 8.8.8.8:53 c1.downlloaddatamy.info udp
US 8.8.8.8:53 c2.downlloaddatamy.info udp
US 8.8.8.8:53 r2.getapplicationmy.info udp
US 8.8.8.8:53 c1.downlloaddatamy.info udp

Files

C:\Users\Admin\AppData\Local\Temp\Tsu3F3B2914.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

C:\Users\Admin\AppData\Local\Temp\{D13836BE-922D-439F-A174-DA0F0ADB1448}\_Setup.dll

MD5 b040c43d630d3740abefba186f46883b
SHA1 c3c498b0cc6d34423780e8285cb3dc998ce1c4a3
SHA256 dd6dd4df86f215bea1c5b68cb7677dee75cda6cbbbf39ac040d67c992f6146df
SHA512 a3e3305ce4925aee378b1a3ed3e58daa743990fe809ac1b3c90640a2fa53736133a8f16c6e8314b5f243ed1109d24e683142d45f1d502cf3714edd748b3c9f5c

C:\Users\Admin\AppData\Local\Temp\{D13836BE-922D-439F-A174-DA0F0ADB1448}\Custom.dll

MD5 52ffb9f31fcf351bed204ed2fa781954
SHA1 7acb17bc45cf6edc71726e59fb8a1d37eca51a55
SHA256 eb99eb74c3736102b174d6d7ff9afaa43bab8ad4bccfac53bb4dbb80392aa1d4
SHA512 841c2683068522077d6f347c17d59815bf5f94015d6b539f6a3248c00bfb8a56360c2c7b3c8960dbda497e76fb88f8859bb5c1a7f80b24fe03dbf00db187f4b9