Malware Analysis Report

2024-09-22 21:58

Sample ID 240708-zkyhaszgqg
Target 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118
SHA256 7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe

Threat Level: Known bad

The file 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-08 20:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 20:47

Reported

2024-07-09 03:42

Platform

win7-20240705-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"

Signatures

BitRAT

trojan bitrat

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 2840 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrOBwFtgJDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A31.tmp"

C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

"{path}"

Network

Country Destination Domain Proto
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp

Files

memory/2840-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

memory/2840-1-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2840-2-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2840-3-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2840-4-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2840-5-0x0000000074D70000-0x000000007531B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A31.tmp

MD5 ef8f81cb07e2cda9f1acee97013a5d62
SHA1 cf9da30c81575830d62d491863c3051802e31a0b
SHA256 f46a975fea94ba4760d33936f84ee6679f22c81f4d8ab88274365eff7be8b1f9
SHA512 e421184ae4517b8ddbbe4faeb3f5c504db6e93dd08eb42ab2af5c8bb084c50aa3fcbc6bc2956a1b3468d9266871d163b4e0d4623880483396c168ae19f34b7b6

memory/2096-9-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-26-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2840-27-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2096-24-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2096-20-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-18-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-16-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-14-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-13-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-11-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-28-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-31-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-36-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-38-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-37-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-39-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-40-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-41-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-43-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-42-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-45-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2096-44-0x0000000000400000-0x00000000007CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 20:47

Reported

2024-07-09 03:42

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
PID 820 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrOBwFtgJDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF95F.tmp"

C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
DE 79.134.225.74:1973 tcp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/820-0-0x00000000746A2000-0x00000000746A3000-memory.dmp

memory/820-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/820-2-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/820-3-0x00000000746A2000-0x00000000746A3000-memory.dmp

memory/820-4-0x00000000746A0000-0x0000000074C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF95F.tmp

MD5 65a473699ffab5bc4a300c43249e0527
SHA1 7bbbe5776d680269888c16f79a24de7202ee2d6c
SHA256 e1ee8038d6429da7e9a6866689c994b5be0ad4ece653fb3a04b5e5bd74c4ddd8
SHA512 86a826bfbcacd4c62278c0434457c90018e3b10bcbcdbc55828e832dab8125d11375369701b7642ea1960576c6a17eef828f2415b9a58a9fe2a2705155e20193

memory/3980-8-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-10-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-9-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/820-13-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/3980-12-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-15-0x00000000743C0000-0x00000000743F9000-memory.dmp

memory/3980-16-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-22-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-23-0x0000000074760000-0x0000000074799000-memory.dmp

memory/3980-24-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-25-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-26-0x0000000074760000-0x0000000074799000-memory.dmp

memory/3980-27-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-28-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-29-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-30-0x0000000074760000-0x0000000074799000-memory.dmp

memory/3980-32-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-31-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3980-33-0x0000000074760000-0x0000000074799000-memory.dmp