Malware Analysis Report

2024-10-18 22:30

Sample ID 240927-kvz2jsvbjj
Target fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118
SHA256 97139bbaf34d92df333d9f791d12b11a8a273151edcaecb9ab7ec75bb034552f
Tags
zloader vlenie2020 obnova20 botnet discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97139bbaf34d92df333d9f791d12b11a8a273151edcaecb9ab7ec75bb034552f

Threat Level: Known bad

The file fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

zloader vlenie2020 obnova20 botnet discovery persistence trojan

Zloader, Terdot, DELoader, ZeusSphinx

Adds Run key to start application

Blocklisted process makes network request

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 08:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 08:56

Reported

2024-09-27 08:58

Platform

win7-20240903-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Huihifda = "C:\\Users\\Admin\\AppData\\Roaming\\Dadie\\obyc.exe" C:\Windows\SysWOW64\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2792 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dasifosafjasfhasf.com udp
US 8.8.8.8:53 kasfajfsafhasfhaf.com udp
US 8.8.8.8:53 fdsjfjdsfjdsjfdjsfh.com udp
US 8.8.8.8:53 fdsjfjdsfjdsdsjajjs.com udp
US 8.8.8.8:53 fdsjfjdsfjdsdsjajjs.com udp
US 3.94.10.34:443 fdsjfjdsfjdsdsjajjs.com tcp
US 8.8.8.8:53 idisaudhasdhasdj.com udp
US 34.211.97.45:443 idisaudhasdhasdj.com tcp
US 8.8.8.8:53 dsjdjsjdsadhasdas.com udp
US 35.164.78.200:443 dsjdjsjdsadhasdas.com tcp
US 8.8.8.8:53 dsdjfhdsufudhjas.com udp
US 8.8.8.8:53 dsdjfhdsufudhjas.com udp
US 54.244.188.177:443 dsdjfhdsufudhjas.com tcp

Files

memory/2792-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2792-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2792-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2604-6-0x0000000000090000-0x00000000000B8000-memory.dmp

memory/2604-7-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2604-8-0x0000000000090000-0x00000000000B8000-memory.dmp

memory/2792-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2604-12-0x0000000000090000-0x00000000000B8000-memory.dmp

memory/2604-13-0x0000000000090000-0x00000000000B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9530.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 08:56

Reported

2024-09-27 08:58

Platform

win10v2004-20240802-en

Max time kernel

99s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ofceyh = "C:\\Users\\Admin\\AppData\\Roaming\\Ibuch\\caugdeah.exe" C:\Windows\SysWOW64\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dasifosafjasfhasf.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 dasifosafjasfhasf.com udp
US 8.8.8.8:53 dasifosafjasfhasf.com udp
US 8.8.8.8:53 kasfajfsafhasfhaf.com udp
US 8.8.8.8:53 kasfajfsafhasfhaf.com udp
US 8.8.8.8:53 kasfajfsafhasfhaf.com udp
US 8.8.8.8:53 fdsjfjdsfjdsjfdjsfh.com udp
US 8.8.8.8:53 fdsjfjdsfjdsjfdjsfh.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 fdsjfjdsfjdsjfdjsfh.com udp
US 8.8.8.8:53 fdsjfjdsfjdsdsjajjs.com udp
US 8.8.8.8:53 fdsjfjdsfjdsdsjajjs.com udp
US 3.94.10.34:443 fdsjfjdsfjdsdsjajjs.com tcp
US 8.8.8.8:53 idisaudhasdhasdj.com udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 34.211.97.45:443 idisaudhasdhasdj.com tcp
US 8.8.8.8:53 dsjdjsjdsadhasdas.com udp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 dsjdjsjdsadhasdas.com udp
US 35.164.78.200:443 dsjdjsjdsadhasdas.com tcp
US 8.8.8.8:53 dsdjfhdsufudhjas.com udp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 dsdjfhdsufudhjas.com udp
US 54.244.188.177:443 dsdjfhdsufudhjas.com tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp

Files

memory/1852-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1852-2-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1852-3-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1852-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1852-5-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1852-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1852-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2400-7-0x0000000000310000-0x0000000000338000-memory.dmp

memory/1852-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2400-11-0x0000000000310000-0x0000000000338000-memory.dmp

memory/2400-12-0x0000000000310000-0x0000000000338000-memory.dmp