Malware Analysis Report

2024-09-09 16:48

Sample ID 240614-qd545awaqk
Target a9d76eb92c737a63d473704fe27a4722_JaffaCakes118
SHA256 7f83366ac93aaabbd7d9c541c378f2fa9a89a04e9dfbcc4f5526cb0570aaa8c4
Tags
ramnit banker evasion persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f83366ac93aaabbd7d9c541c378f2fa9a89a04e9dfbcc4f5526cb0570aaa8c4

Threat Level: Known bad

The file a9d76eb92c737a63d473704fe27a4722_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker evasion persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Modifies firewall policy service

Ramnit

Modifies security service

Windows security bypass

UAC bypass

Drops startup file

Windows security modification

UPX packed file

Checks whether UAC is enabled

Adds Run key to start application

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:09

Reported

2024-06-14 13:09

Platform

win7-20240611-en

Max time kernel

3s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\dylnfuss\\lfdapxcj.exe" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\dylnfuss\\lfdapxcj.exe" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfdapxcj.exe C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfdapxcj.exe C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\LfdApxcj = "C:\\Users\\Admin\\AppData\\Local\\dylnfuss\\lfdapxcj.exe" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe"

Network

N/A

Files

memory/1676-4-0x0000000000450000-0x0000000000550000-memory.dmp

memory/1676-5-0x0000000015190000-0x00000000151CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:09

Reported

2024-06-14 13:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\qfxkrfbn\\ylpwcike.exe" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpwcike.exe C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpwcike.exe C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YlpWcike = "C:\\Users\\Admin\\AppData\\Local\\qfxkrfbn\\ylpwcike.exe" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9d76eb92c737a63d473704fe27a4722_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 608

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/3016-2-0x0000000015190000-0x00000000151CD000-memory.dmp

memory/3016-1-0x0000000000480000-0x0000000000580000-memory.dmp

memory/3016-6-0x0000000015190000-0x00000000151D3000-memory.dmp

memory/3016-7-0x0000000015190000-0x00000000151CD000-memory.dmp