Malware Analysis Report

2024-11-16 13:13

Sample ID 240625-yb2b6a1drr
Target 0f467a194027b62be21952621e35b7d8_JaffaCakes118
SHA256 41b96c69aeebe529a6bf45acdc4dee61a42c35d831ce1812486bb27d668adfd5
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41b96c69aeebe529a6bf45acdc4dee61a42c35d831ce1812486bb27d668adfd5

Threat Level: Known bad

The file 0f467a194027b62be21952621e35b7d8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

UPX packed file

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Program crash

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 19:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 19:37

Reported

2024-06-25 19:40

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 64

Network

N/A

Files

memory/2932-0-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 19:37

Reported

2024-06-25 19:40

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe"

Signatures

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0f467a194027b62be21952621e35b7d8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4216-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/4216-1-0x0000000000AC0000-0x0000000001AF0000-memory.dmp

memory/4216-12-0x0000000000AC0000-0x0000000001AF0000-memory.dmp

memory/4216-11-0x0000000000400000-0x0000000000419000-memory.dmp