Malware Analysis Report

2025-06-16 06:35

Sample ID 240825-k8my5sybkn
Target c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118
SHA256 e438315a0e2488312c7645573149ebad37686eecdfc3f678dc6291415b0792a9
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e438315a0e2488312c7645573149ebad37686eecdfc3f678dc6291415b0792a9

Threat Level: Shows suspicious behavior

The file c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:16

Reported

2024-08-25 09:18

Platform

win7-20240705-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6A5B00014973000BF73CB4EB2331 = "C:\\ProgramData\\043A6A5B00014973000BF73CB4EB2331\\livesp.exe" C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe"

C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe

"C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe" "C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe"

Network

N/A

Files

memory/2508-0-0x0000000000370000-0x00000000003D0000-memory.dmp

memory/2508-1-0x0000000000880000-0x00000000008D3000-memory.dmp

memory/2508-2-0x0000000000AB0000-0x0000000000B57000-memory.dmp

\ProgramData\043A6A5B00014973000BF73CB4EB2331\livesp.exe

MD5 c06b4cdca72a0bb743074472e0d3d8f6
SHA1 7fd282fabb759124936395106876408746fea468
SHA256 e438315a0e2488312c7645573149ebad37686eecdfc3f678dc6291415b0792a9
SHA512 981725bf60b25cbe52c7979eb87f2d9e560976629f30880a01f04e2e71a19c6f0c1885d09694a7bf5b17e452fef52384922da36b6597c61b3ba525539cbe4d7a

memory/2508-9-0x0000000000AB0000-0x0000000000B57000-memory.dmp

memory/2508-8-0x0000000000AB0000-0x0000000000B6B000-memory.dmp

memory/2772-10-0x0000000000380000-0x0000000000427000-memory.dmp

C:\ProgramData\043A6A5B00014973000BF73CB4EB2331\043A6A5B00014973000BF73CB4EB2331

MD5 8329964126be89cfc21dcad6d305e539
SHA1 72516e7ecb057218235ec0cf2eab287abe2ae2ea
SHA256 5616ed7fff1b99c602876d60c37d7d00ceacdc051cdd5f62428ec306a2ad47ca
SHA512 dd737307623e31cc63d025ef3a7c79ad462f3212d24ffa646897d30818217e65ca5b020e706e6aadca2514bc7d57821e1e0d3366cff29edcb08302f28cdcd9cf

memory/2772-58-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-59-0x0000000000380000-0x0000000000427000-memory.dmp

memory/2772-60-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-61-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-62-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-63-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-65-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-66-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-67-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-68-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-69-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-70-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-71-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-72-0x0000000000380000-0x000000000043B000-memory.dmp

memory/2772-73-0x0000000000380000-0x000000000043B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:16

Reported

2024-08-25 09:18

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c06b4cdca72a0bb743074472e0d3d8f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 456

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A