Malware Analysis Report

2025-08-10 21:19

Sample ID 241031-lvn5qawern
Target 82a6b97353276e56c60d82b72e711392_JaffaCakes118
SHA256 153ee55f8c75c191240debb39292916a5a95046db45cea7d73a16c3e4b85c6a7
Tags
discovery evasion persistence trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

153ee55f8c75c191240debb39292916a5a95046db45cea7d73a16c3e4b85c6a7

Threat Level: Shows suspicious behavior

The file 82a6b97353276e56c60d82b72e711392_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence trojan upx

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

UPX packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 09:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 09:51

Reported

2024-10-31 09:54

Platform

win7-20241010-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\Program Files (x86)\\lsass\\lsass.exe" C:\Program Files (x86)\lsass\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\lsass\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\lsass\lsass.exe C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\lsass\lsass.exe C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\lsass\lsass.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\lsass\lsass.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\lsass\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\lsass\lsass.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe"

C:\Program Files (x86)\lsass\lsass.exe

"C:\Program Files (x86)\lsass\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.abc567.cn udp
US 108.187.255.117:80 www.abc567.cn tcp
US 108.187.255.117:80 www.abc567.cn tcp
US 8.8.8.8:53 www.88rrbb.cc udp
US 107.163.218.159:443 www.88rrbb.cc tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.73:80 r10.o.lencr.org tcp
US 107.163.218.159:443 www.88rrbb.cc tcp
US 8.8.8.8:53 www.lingtidiefu.com udp
US 104.21.9.153:443 www.lingtidiefu.com tcp
US 104.21.9.153:443 www.lingtidiefu.com tcp
US 8.8.8.8:53 cateru509.com udp
US 8.8.8.8:53 oobe.6820tp1.com udp
US 8.8.8.8:53 2024.xx3691b.com udp
US 8.8.8.8:53 zz5555bb9999.com udp
US 8.8.8.8:53 34778125-kylydizn.cc udp
US 8.8.8.8:53 img.qxwoiv.com udp
US 8.8.8.8:53 595image.vip udp
US 8.8.8.8:53 vnsimg.hfzkgw.com udp
US 8.8.8.8:53 abc.tp1902abd.com udp
US 8.8.8.8:53 fd1t.ftnsr4.xyz udp
US 8.8.8.8:53 susu350.top udp
US 8.8.8.8:53 mlnl.wbqqo.com udp
US 8.8.8.8:53 abcqq36q.vip udp
US 172.67.186.32:443 2024.xx3691b.com tcp
US 172.67.168.53:443 oobe.6820tp1.com tcp
US 104.21.37.147:80 abc.tp1902abd.com tcp
US 104.21.16.202:443 mlnl.wbqqo.com tcp
US 172.67.195.215:443 abcqq36q.vip tcp
US 104.219.250.34:443 fd1t.ftnsr4.xyz tcp
US 8.8.8.8:53 dedim2977.top udp
US 8.8.8.8:53 imghost001.top udp
US 8.8.8.8:53 tul.xn--qrq298gm4o.com udp
US 104.160.179.234:443 zz5555bb9999.com tcp
US 172.67.222.89:443 tul.xn--qrq298gm4o.com tcp
US 154.91.91.5:443 img.qxwoiv.com tcp
US 8.8.8.8:53 fm.lbpicpic.com udp
US 104.26.1.221:443 fm.lbpicpic.com tcp
US 104.26.1.221:443 fm.lbpicpic.com tcp
JP 154.84.24.211:3188 595image.vip tcp
DE 142.132.201.10:443 dedim2977.top tcp
DE 88.99.67.51:443 imghost001.top tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 154.91.91.20:443 vnsimg.hfzkgw.com tcp
DE 88.99.67.51:443 imghost001.top tcp
GB 2.18.190.73:80 r11.o.lencr.org tcp
GB 2.18.190.73:80 r11.o.lencr.org tcp
HK 23.248.245.197:8678 34778125-kylydizn.cc tcp
DE 88.99.67.51:443 imghost001.top tcp
US 154.91.91.5:443 img.qxwoiv.com tcp
JP 154.84.24.211:3188 595image.vip tcp
US 154.91.91.20:443 vnsimg.hfzkgw.com tcp
US 154.91.91.5:443 img.qxwoiv.com tcp
US 8.8.8.8:53 ylg2.bdxdgs.com udp
GB 79.133.176.192:443 ylg2.bdxdgs.com tcp
JP 154.84.24.211:3188 595image.vip tcp
US 154.91.91.20:443 vnsimg.hfzkgw.com tcp
US 8.8.8.8:53 vns3.ezrent.hk udp
GB 79.133.176.194:443 vns3.ezrent.hk tcp
GB 79.133.176.192:443 ylg2.bdxdgs.com tcp
GB 79.133.176.194:443 vns3.ezrent.hk tcp
GB 79.133.176.192:443 ylg2.bdxdgs.com tcp
GB 79.133.176.194:443 vns3.ezrent.hk tcp

Files

\Program Files (x86)\lsass\lsass.exe

MD5 0c41c7a0ba069b68031273098e18bebe
SHA1 12a6c0c7a762a2fc4834ca7de13781cadba7275c
SHA256 da474f9eef7b56fe824a09d95c19d1f6e254945e0a09ae041099473f1f83bb97
SHA512 9233445e8d7e268738844fd456154529442bd59369b6c89b014595a4eadc4c689e9a43b3f70de019fc498fc0fa4c4421407c68c54d9aa99a19f42aa32c0f96a1

memory/2516-8-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2516-14-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2516-13-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2516-79-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF614.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF6F1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c9010bd0b3b96135523b174f6a2c49b
SHA1 38214bece846cd5350612bdbf242d66bb9799d06
SHA256 8415ecc967e8fad302fdf35a55b75435a09a7c7516948b2a5e7896eff8283394
SHA512 dacd68d806ab466d923b7bf20f9a304d513cc9bbf398e2863f1c2cce2da0abd60cd9766d2b13d249c20e26548cc91de3ae3c1b6e75be23ae31483ac5351994f7

memory/2516-199-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2516-198-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2516-197-0x0000000000020000-0x000000000002B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8b8962c9601e23312fcfb4304752da1
SHA1 fd63a823f28d2bcbe5c7bb25f39bc1933b2dc4c2
SHA256 fe4be131f45ce1f2caebec26ef2b2c89e5372abb4d730c72f6adde12ff24c04c
SHA512 45218d7e2ea9b81ed9ba18835702368088e53f4703e8a106279c1b8139dfe2e614cc012caafe50b321f482fdf549f0f9876dfe8cda51d8b42111a5d9da219b10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99d5dc5228dad0b08ba86b01f6ec87e5
SHA1 78fed8e95784c7346cfbad3b24b808ef886656f8
SHA256 44abbf140f878af5cb4cc582f218b420c3ccc5f609905f7281ff23ca9052faf0
SHA512 4a58ae90d497158c15ce4b768adf27a0b4bb0bc32ae87ccb6ceeb9a205c06eddb9055c4a2a9a921ac36907dcf52bb742f367615a3894d9d2ff5d4e29ea30bb65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b08ed6c0bd139239fac13393e9390f1
SHA1 27a74403d721613eb3075c538bded7f8158b5424
SHA256 1e291faf6b7e3b2c789adb04ed80bf747bda8f1668545301a01279595e247cff
SHA512 75caac254b1228d5827479f994e659226b7d948c2759664519f3dc77ecb855ac637a2e96fed6b1356812bfbf74ca2c55a067d012ba080a8c5937bc46b64bba28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 997c07ad0a21fb326c02143a74029f2b
SHA1 15011644812f7b1aa9015bec5c59bbd09be3033f
SHA256 cf105f4d3d634157abf8e2a5fa70762396e579ffe3b206bd844781492dac16fa
SHA512 63313358d6d25239427f7f14b91750b8f477d5e4613d01d596c067539892240e127f3913bb206ef0168cfdd0de8d7b788d58c93b42c1544c2fb519d60f2b9048

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eecf0a09590c3cda64cfb96a13bc8a59
SHA1 a356185b897173aa090ad1b9ec17b0b403d79835
SHA256 29ed483fb0c84fb18b1216c3218c8cebe318ebb7a71076ce10a3d7c5cb7341ac
SHA512 b9328c608ccd01ca837fc7a86ca0116502f84e021a438b595d604ba8fd22cb65b44f3e72da8c1847cba4034431d4d1c7c942b6f7389d7beb223df927586efac8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8caa9ee1dfda099965c3fb93cedc1b26
SHA1 d872f6c4802549e1b589120d861b7022b784e924
SHA256 87200162920c162ce5b48b3d6882a51bbeb674297e48e770ad6bb1fca909d2c8
SHA512 c849a5e27114aeb7d2d86ed7b9abbddfca1cde2745f4b9650dcfd10db60c5edd111122f3c4642c35e26b3791a0c9cde3b57dc70040abf26fbc06b787f0a25ac8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5422fe3f0ed4baac434fdfc7945c2478
SHA1 aff99361776fd920933939d8c09b8cb5afab975d
SHA256 fea80261425949734acb243f0be4ae3f2b2776a627f002953f5396f56e502d7a
SHA512 8aa26e08fac9837df89bbd9b8da02a6ccf0d405fc02493eb3f7845bfb784c01dc1b151efc06479c13777010563f1b58cc4972b593945193e20b3325e9480c84b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ec72fd8e4c845f40be70e7fcaff1398
SHA1 a88fab7768258031849b8e61607bcf2d3c8e7714
SHA256 123096996c2fcc1cb5042ee3cb50b7187913bbc074b60ef75a2f21fd01b5d2a8
SHA512 801441740602b6901374278c6dd122e8f3415a58620f8c568db3c5c20887c29428c65d83f69b09f0733a6b407c296b8e5fad2b1868d906a31ac1d4a5165762fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00d86df7169a8742074bfa6702ca6064
SHA1 82e7f80a9e59466a61948c7a234e566ddf531b7c
SHA256 7f4a4efb0e1ec50a942985ef8060696859cf3b6061dd2ede70fcaee5934b5f25
SHA512 18d4c2fe3169649ecec3128357bf38eda5951774d45d5c8a435c68d320f26c57fcb40093977adf5d56f7c68e5a210dd09a07cef6cd29bcbbcb7be1de08c6e81a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 595c53efd975181aeb151fbc5167284d
SHA1 652e1922f4c5b2b97759194947d3c002fe337835
SHA256 130bb0c22a8106cd6ba3cfc13c18dc1de06ad81f9d19c01c530f26bd7c7c1240
SHA512 a21e3c8822132bf108c5751f50ceffcb1a38b4cdb9e23a42097703dfc10a9addad6f5643cf3b1355854ecb24fa673346d19dca477269290b92e1ab042b260773

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cee0e7f65bee247dc62b4ba4efcd9346
SHA1 8576eeb9335dbbdc65e7575e66bd7e9ccbc808eb
SHA256 13b8d9ed26b1d0d4bc31b67bc16d4f5a617951f70c6cc555cad90a7c36636566
SHA512 5b374f9bb26c25507a1b80e5d9341536983ced66e51da4ba514eb21e6f992782b548e090cfaf091adfe9794a91ace8ec2fe9d05fde6568d46178bddef7b5e6f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59c9ca82fc6e930e44afe59472491ac5
SHA1 1897893476e4fcfceccfd0b6868d5790ed51889c
SHA256 e4ab99ed3327e8f93e1e18d5eab6cc3e1e5803eba763bd45ac9d368c71c4ad76
SHA512 661cd738919122d2d35771d54b38e36e4ca9c299e7eb78b15a4498459efe0259fe2bc15b771af58c3af8de933e6aeec58cf0ec777e0a77c87d6aa929639b58ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2750c77e4604a20fda4417fddba44cf
SHA1 5dd45f61ae1f143ceebc19d397a92d25689a6884
SHA256 6ddeed226f530a7502b9f61b92c949ad8f0bf15acb62b07a5889b2d5f5ccb799
SHA512 70eb7973aecf3c3341f800adc5337cc2faff9bc8de9dabe139933c3fd9cb1b42de692879f45fa1b28bdbfba048473e549930c78c63c479cd9f782d49013b8993

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 09:51

Reported

2024-10-31 09:54

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\Program Files (x86)\\lsass\\lsass.exe" C:\Program Files (x86)\lsass\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\lsass\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\lsass\lsass.exe C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\lsass\lsass.exe C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\lsass\lsass.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A
N/A N/A C:\Program Files (x86)\lsass\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\82a6b97353276e56c60d82b72e711392_JaffaCakes118.exe"

C:\Program Files (x86)\lsass\lsass.exe

"C:\Program Files (x86)\lsass\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.abc567.cn udp
US 108.187.255.117:80 www.abc567.cn tcp
US 8.8.8.8:53 117.255.187.108.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 108.187.255.117:80 www.abc567.cn tcp
US 8.8.8.8:53 www.88rrbb.cc udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 107.163.218.93:443 www.88rrbb.cc tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.73:80 r10.o.lencr.org tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 93.218.163.107.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Program Files (x86)\lsass\lsass.exe

MD5 0c41c7a0ba069b68031273098e18bebe
SHA1 12a6c0c7a762a2fc4834ca7de13781cadba7275c
SHA256 da474f9eef7b56fe824a09d95c19d1f6e254945e0a09ae041099473f1f83bb97
SHA512 9233445e8d7e268738844fd456154529442bd59369b6c89b014595a4eadc4c689e9a43b3f70de019fc498fc0fa4c4421407c68c54d9aa99a19f42aa32c0f96a1

memory/4508-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4508-17-0x0000000000400000-0x000000000040B000-memory.dmp