Malware Analysis Report

2025-01-18 21:58

Sample ID 240622-qh9m4stdnl
Target 0252fca26eb68158d368567026880343_JaffaCakes118
SHA256 4b9c61fa848816cfbce8f37df123cef7d797f90a9611fb3a973f389a6c46964e
Tags
upx adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b9c61fa848816cfbce8f37df123cef7d797f90a9611fb3a973f389a6c46964e

Threat Level: Shows suspicious behavior

The file 0252fca26eb68158d368567026880343_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware stealer

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Deletes itself

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 13:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 13:16

Reported

2024-06-22 13:19

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FG2Catch1.dll C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\ = "FCatchurl" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ = "C:\\Windows\\SysWow64\\FG2Catch1.dll" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\_delme.bat

Network

N/A

Files

memory/2244-0-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2244-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\FG2Catch1.dll

MD5 a27846392dc10a7c5c5cde6406236bfe
SHA1 759f5fcb7ec5c617969f55c6a68e8efb506eabd8
SHA256 11add83d3b4a164ad5e51c26902d0a0e015f0f65b4f4f93988939632f706ad8d
SHA512 edaf420a4cd6804d3f424a282bd00df40ef4d15d34700bf0221b94f7e4c6193944295163365cec2e2114009a4f6044fa0962d3b25ee8fc8949a268c4d5ea8f5c

memory/2244-17-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2244-14-0x0000000001FA0000-0x0000000002027000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_delme.bat

MD5 5b33305666b90e4b9a8b7b834797e8f2
SHA1 79aa6d723af547a2514dcd7d2136ad84ed787c7c
SHA256 e3a4dec6eba3f105f5099151d453851c24cc6e8975e2125d5400ac414fc0ab58
SHA512 f6446d893bc7d63b318782c5b54902bdbde8881ccf5fab800aab60f276c829260e80181dedac8a51c6873350fa022d9286624b39672190755720e6761847c043

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 13:16

Reported

2024-06-22 13:19

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FG2Catch1.dll C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ = "C:\\Windows\\SysWow64\\FG2Catch1.dll" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\ = "FCatchurl" C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_delme.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/348-0-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/348-1-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Windows\SysWOW64\FG2Catch1.dll

MD5 a27846392dc10a7c5c5cde6406236bfe
SHA1 759f5fcb7ec5c617969f55c6a68e8efb506eabd8
SHA256 11add83d3b4a164ad5e51c26902d0a0e015f0f65b4f4f93988939632f706ad8d
SHA512 edaf420a4cd6804d3f424a282bd00df40ef4d15d34700bf0221b94f7e4c6193944295163365cec2e2114009a4f6044fa0962d3b25ee8fc8949a268c4d5ea8f5c

memory/348-13-0x0000000002430000-0x00000000024B7000-memory.dmp

memory/348-15-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/348-14-0x0000000002430000-0x00000000024B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_delme.bat

MD5 5b33305666b90e4b9a8b7b834797e8f2
SHA1 79aa6d723af547a2514dcd7d2136ad84ed787c7c
SHA256 e3a4dec6eba3f105f5099151d453851c24cc6e8975e2125d5400ac414fc0ab58
SHA512 f6446d893bc7d63b318782c5b54902bdbde8881ccf5fab800aab60f276c829260e80181dedac8a51c6873350fa022d9286624b39672190755720e6761847c043