Malware Analysis Report

2024-12-07 15:01

Sample ID 241030-va698sxgqr
Target 7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118
SHA256 da47a40cb542b7425ac552d041a7d0edf5c5f28d9787e1c486bfdfb249d1879c
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da47a40cb542b7425ac552d041a7d0edf5c5f28d9787e1c486bfdfb249d1879c

Threat Level: Known bad

The file 7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

simda

Checks BIOS information in registry

Modifies WinLogon

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 16:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 16:48

Reported

2024-10-30 16:50

Platform

win7-20240903-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe"

Signatures

Simda family

simda

simda

stealer trojan simda

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c8a89871 = "\x18QE^âX[Âõ€•\x1e’¿MœÆ±·j?DÂÁZhGQw\x11›&¡õÔ{ÃíÐù]ð6M£ª£¤\x15kÕ ‘b\x18}±™ÐÙ3Ú\x7f±CDüs\x1a…o|î\b`®°j¸.ÝÔëØËÝ#IÑ99ÑÞ¥þ\x19auceã\u00ad^‹\u0081í\x15\x03ã+U\u0081Ùá\x03sóÓ©e™y•±q\r\u0081\x11\x1d\x1e¾ù}%^Cqùk£•\u009d\u0081ëQCIËÓiöÎ\x1díÑý³‘¡ÝóQÝ«E³9cA³ƒQS-93sQÁë)¹ñí\x15á5é^…ÛÁ.«E\x01™u\x05Ù££-6½1óUk5•“Q½\v\t¾[\u00adSV“Uƒ£‹})QûÕžkÁáé\x16á;›ÁËCÃm{ù3QV\x16ñCûU£\v“Ξ" C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe"

Network

N/A

Files

memory/1696-0-0x0000000000400000-0x0000000000591000-memory.dmp

memory/1696-1-0x0000000000730000-0x0000000000782000-memory.dmp

memory/1696-2-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1696-13-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-11-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-9-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-7-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-5-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-3-0x00000000023B0000-0x0000000002458000-memory.dmp

memory/1696-14-0x0000000000400000-0x0000000000591000-memory.dmp

memory/1696-15-0x0000000002570000-0x0000000002628000-memory.dmp

memory/1696-60-0x0000000002570000-0x0000000002628000-memory.dmp

memory/1696-59-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1696-57-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1696-56-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1696-53-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1696-52-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1696-50-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/1696-49-0x0000000002980000-0x0000000002981000-memory.dmp

memory/1696-46-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/1696-45-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/1696-43-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/1696-42-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/1696-38-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/1696-36-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1696-35-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1696-32-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1696-31-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1696-29-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1696-28-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1696-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1696-24-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1696-22-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1696-21-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1696-20-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1696-18-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1696-17-0x0000000002570000-0x0000000002628000-memory.dmp

memory/1696-62-0x0000000000730000-0x0000000000782000-memory.dmp

memory/1696-63-0x0000000000400000-0x000000000045F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 16:48

Reported

2024-10-30 16:50

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7fffcd31ef0c8a820ab3af00ab2ad2fe_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4796-0-0x0000000000400000-0x0000000000591000-memory.dmp