Malware Analysis Report

2025-03-15 04:00

Sample ID 240824-nmangazbmq
Target be7f584a3eca37e5216601d5f22cb427_JaffaCakes118
SHA256 78daa4154c6bb91605329f571b16f535fbf79a96a7da2e7b865674e7502a8b7e
Tags
discovery motw phishing
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

78daa4154c6bb91605329f571b16f535fbf79a96a7da2e7b865674e7502a8b7e

Threat Level: Shows suspicious behavior

The file be7f584a3eca37e5216601d5f22cb427_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery motw phishing

Mark of the Web detected: This indicates that the page was originally saved or cloned.

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 11:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 11:30

Reported

2024-08-24 11:32

Platform

win7-20240708-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned.

phishing motw
Description Indicator Process Target
N/A https://r01.ru/ N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\win32dlll.exe C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fotinhacpp.pop3.ru udp
RU 31.177.80.144:80 fotinhacpp.pop3.ru tcp

Files

C:\Windows\SysWOW64\win32dlll.exe

MD5 7ef64b3be61dc28efc5fa9c8f01fc7e7
SHA1 bbbbcbb68de787ddfe8441ac3af8977f85a9cbb9
SHA256 c224fa97bbe7a8d420763b9abb51147f3d15758de62ba46bd4554afeb00fc42b
SHA512 32413693c385ca1fde133fc995001c990107acf4a1ec438c3a3e9d19f1d392cb8c936d94093045b05e98020341d411b1b4834c07cc25ee35541022803eae0ef1

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 11:30

Reported

2024-08-24 11:32

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned.

phishing motw
Description Indicator Process Target
N/A https://r01.ru/ N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\win32dlll.exe C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fotinhacpp.pop3.ru udp
RU 31.177.76.144:80 fotinhacpp.pop3.ru tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.76.177.31.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\win32dlll.exe

MD5 7ef64b3be61dc28efc5fa9c8f01fc7e7
SHA1 bbbbcbb68de787ddfe8441ac3af8977f85a9cbb9
SHA256 c224fa97bbe7a8d420763b9abb51147f3d15758de62ba46bd4554afeb00fc42b
SHA512 32413693c385ca1fde133fc995001c990107acf4a1ec438c3a3e9d19f1d392cb8c936d94093045b05e98020341d411b1b4834c07cc25ee35541022803eae0ef1