Malware Analysis Report

2024-10-18 23:16

Sample ID 240708-ga4mfsvdlj
Target 2b29c3bcd8e2f2d794b67606ec61bd0b_JaffaCakes118
SHA256 823ed2671b5d5919c61f153c87642257b44b7fe2ec5c362e1605be901ed90bad
Tags
snakekeylogger collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

823ed2671b5d5919c61f153c87642257b44b7fe2ec5c362e1605be901ed90bad

Threat Level: Known bad

The file 2b29c3bcd8e2f2d794b67606ec61bd0b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection keylogger stealer

Snake Keylogger

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-08 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 05:36

Reported

2024-07-08 11:21

Platform

win7-20240705-en

Max time kernel

118s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2824 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2824 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2824 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2824 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkoaYBUIwbGl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCD9.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1072

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

memory/2684-0-0x000000007436E000-0x000000007436F000-memory.dmp

memory/2684-1-0x0000000000D30000-0x0000000000DEA000-memory.dmp

memory/2684-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2684-3-0x0000000000590000-0x000000000059A000-memory.dmp

memory/2684-4-0x000000007436E000-0x000000007436F000-memory.dmp

memory/2684-5-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2684-6-0x0000000005AD0000-0x0000000005B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBCD9.tmp

MD5 33605ed9ad6d0d96c5a3e912ecd546cf
SHA1 81ea71c347055090aadc5585d5a50cf34638c1a9
SHA256 4897a53242ed9fd1d52a51555d1661fe873e418b13cfb9ee8ee7c7fe7085a726
SHA512 3082cd6a4f62df16d4a3f60570c727584c20ac45c40e5dbae4d18106c3b8a4a10acf1020ebe526738af14f4b62780fd9d72e117d451b46eb68007f9585bf6063

memory/2824-24-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-22-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-20-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2824-17-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-14-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-12-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-15-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2824-25-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2684-26-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2824-27-0x0000000074360000-0x0000000074A4E000-memory.dmp

memory/2824-28-0x0000000074360000-0x0000000074A4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 05:36

Reported

2024-07-08 11:20

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3980 set thread context of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping Documents Original BL, Invoice & Packing List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkoaYBUIwbGl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE162.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1760

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp

Files

memory/3980-0-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

memory/3980-1-0x0000000000BD0000-0x0000000000C8A000-memory.dmp

memory/3980-2-0x0000000005680000-0x000000000571C000-memory.dmp

memory/3980-3-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/3980-4-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/3980-5-0x0000000005720000-0x000000000572A000-memory.dmp

memory/3980-6-0x0000000005950000-0x00000000059A6000-memory.dmp

memory/3980-7-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/3980-8-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/3980-9-0x0000000005B60000-0x0000000005B6A000-memory.dmp

memory/3980-10-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

memory/3980-11-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/3980-12-0x0000000006860000-0x0000000006902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE162.tmp

MD5 496f48d814178c84024be8077979ce91
SHA1 d4ec44035655c1900347da5059588fae007687ae
SHA256 7a691d36f8f1f6018749720a2d27e13fed4a3f130c4ab21db930f47981b176cf
SHA512 a4dd9d146063d3400d3766948a7beef3277faebb38ec528977d55c914c46887bd3a1ebdd79dd749c63b90ac2812dec3254bacc773cd76f99aec07c29c8c89821

memory/3116-18-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3980-21-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/3116-20-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/3116-22-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/3116-23-0x0000000006730000-0x00000000068F2000-memory.dmp

memory/3116-24-0x0000000074FD0000-0x0000000075780000-memory.dmp