Malware Analysis Report

2025-06-16 00:31

Sample ID 240920-ac794aydnn
Target ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118
SHA256 d0b02f2bc5e46880f67b31b7a7ab3fc8670ee3c6a0a362a52c2f10fbae8d1913
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0b02f2bc5e46880f67b31b7a7ab3fc8670ee3c6a0a362a52c2f10fbae8d1913

Threat Level: Known bad

The file ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Checks BIOS information in registry

Modifies WinLogon

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 00:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 00:05

Reported

2024-09-20 00:07

Platform

win7-20240903-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"

Signatures

simda

stealer trojan simda

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fda74849 = "àOh{X\u008f¾«‰´ª…—àüÛ\u009d]‚\u008dÿ7ô\x10¹uÌ9òrK7àò`qšzgI\u00ad[ÑãîàçMp\x18¥*\"³g\x11Ÿ¢;Ü!ô»eZ»Ü™Ì£#\x05\x10ÄvÃMEêd¼þnp\x05\x03B#f\x1cÚ" C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"

Network

N/A

Files

memory/2460-0-0x00000000002F0000-0x0000000000342000-memory.dmp

memory/2460-1-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2460-2-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-4-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-6-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-12-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-13-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2460-10-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-8-0x00000000004F0000-0x000000000059A000-memory.dmp

memory/2460-14-0x0000000002630000-0x00000000026E9000-memory.dmp

memory/2460-16-0x0000000002630000-0x00000000026E9000-memory.dmp

memory/2460-45-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2460-44-0x0000000001E60000-0x0000000001E61000-memory.dmp

memory/2460-59-0x0000000002630000-0x00000000026E9000-memory.dmp

memory/2460-58-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/2460-56-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2460-55-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/2460-52-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2460-51-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/2460-49-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2460-48-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/2460-42-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/2460-41-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/2460-37-0x0000000001E30000-0x0000000001E31000-memory.dmp

memory/2460-35-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2460-34-0x0000000000880000-0x0000000000881000-memory.dmp

memory/2460-31-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2460-30-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2460-28-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2460-27-0x0000000000850000-0x0000000000851000-memory.dmp

memory/2460-24-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2460-23-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2460-21-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2460-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2460-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2460-17-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2460-61-0x00000000002F0000-0x0000000000342000-memory.dmp

memory/2460-62-0x0000000000400000-0x000000000045F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-20 00:05

Reported

2024-09-20 00:07

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"

Signatures

simda

stealer trojan simda

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\12411206 = "D™±s*\x12?šy$Þ°t3n(…÷\x15n\aÚ\r&|1\x18OƒÕ¨Œ\x05YfÙ\u0081a«ÊX»^\x02w|é¯@F<ï,f€´ÄCepÉ'\x01\x1bç\\\x1d¤ {mwµt\\w\x12‹÷ªE´ê¬\x0fõéîu6;ïWéá~F’‘!³»\t\u0081\u0081½ƒ“\x05yyVÕ{_åÛ•A‰ïS\x016?\nÉÖ…AÂÂmŠaK#‰1©f¶!\x01\x06‰ÅáÊÞ‹R{\t_âáA\x1eFš-ª%ÎÉåF\x01\u009dé\x12³Õ‘W.¿æ›º–\x1f\vµñÝf'\tã·\x11áKa–¦ã;Òò\x02\x16iB–f†\x1e\x7f3¾EÎ\x16µQ\"f†k)/¡¹\u0081=\x03ó×\"E¾Ÿ6[¦‰Ê¥¶…¥ï\x15æï·ÆÚ1.]C\x1e’.aù" C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3268-0-0x0000000002230000-0x0000000002282000-memory.dmp

memory/3268-1-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3268-2-0x0000000002330000-0x00000000023DA000-memory.dmp

memory/3268-3-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/3268-4-0x0000000002840000-0x00000000028F9000-memory.dmp

memory/3268-48-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/3268-46-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/3268-45-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/3268-42-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/3268-41-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/3268-39-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/3268-38-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/3268-17-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/3268-11-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/3268-10-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/3268-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/3268-7-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/3268-49-0x0000000002840000-0x00000000028F9000-memory.dmp

memory/3268-35-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/3268-34-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/3268-32-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3268-31-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/3268-27-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/3268-25-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/3268-24-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3268-22-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/3268-20-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/3268-18-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/3268-14-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/3268-13-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/3268-6-0x0000000002840000-0x00000000028F9000-memory.dmp

memory/3268-51-0x0000000002230000-0x0000000002282000-memory.dmp

memory/3268-52-0x0000000000400000-0x000000000045F000-memory.dmp