Malware Analysis Report

2024-10-16 03:31

Sample ID 240921-gkjp2axgmr
Target ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118
SHA256 e8b8f7711195d3ff912967c82ee2a12ba710ac9e717e8ee65f268bec0734ba54
Tags
banload discovery downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8b8f7711195d3ff912967c82ee2a12ba710ac9e717e8ee65f268bec0734ba54

Threat Level: Known bad

The file ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 05:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 05:51

Reported

2024-09-21 05:54

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32\ = "%SystemRoot%\\SysWow64\\provsvc.dll" C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E} C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\ = "Publication Services Change Data" C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage.googleapis.com udp
GB 142.250.180.27:443 storage.googleapis.com tcp

Files

memory/2248-0-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-1-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-3-0x0000000000AC5000-0x0000000000AC6000-memory.dmp

memory/2248-2-0x0000000002AE0000-0x0000000003516000-memory.dmp

memory/2644-10-0x0000000003810000-0x0000000003A1C000-memory.dmp

memory/2644-4-0x0000000003810000-0x0000000003A1C000-memory.dmp

memory/2644-11-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-14-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-15-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-16-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-18-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-20-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-19-0x0000000003810000-0x0000000003A1C000-memory.dmp

memory/2644-17-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-21-0x0000000003810000-0x0000000003A1C000-memory.dmp

memory/2248-22-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/2644-24-0x0000000000400000-0x0000000000E36000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 05:51

Reported

2024-09-21 05:54

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E} C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\ = "PrintTaskConfigurationProxyServer" C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcHandler32 C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcHandler32\ = "C:\\Windows\\SysWOW64\\Windows.Devices.Printers.Extensions.dll" C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 storage.googleapis.com udp
GB 216.58.204.91:443 storage.googleapis.com tcp
US 8.8.8.8:53 91.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1832-1-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-3-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-4-0x0000000005100000-0x000000000530C000-memory.dmp

memory/4136-10-0x0000000005100000-0x000000000530C000-memory.dmp

memory/4136-15-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-14-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-17-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-16-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-13-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-18-0x0000000005100000-0x000000000530C000-memory.dmp

memory/4136-19-0x0000000005100000-0x000000000530C000-memory.dmp

memory/1832-20-0x0000000000400000-0x0000000000E36000-memory.dmp

memory/4136-22-0x0000000000400000-0x0000000000E36000-memory.dmp