Malware Analysis Report

2025-01-02 05:57

Sample ID 241125-n5h3kasjbp
Target 9b55bffb97ebd2c51834c415982957b4_JaffaCakes118
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
Tags
vmprotect ffdroider discovery spyware stealer evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

Threat Level: Known bad

The file 9b55bffb97ebd2c51834c415982957b4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

vmprotect ffdroider discovery spyware stealer evasion trojan

FFDroider

FFDroider payload

Ffdroider family

Reads user/profile data of web browsers

VMProtect packed file

Checks whether UAC is enabled

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 11:58

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 11:58

Reported

2024-11-25 12:01

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe"

Network

Country Destination Domain Proto
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp

Files

memory/1608-0-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1608-1-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab83E1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1608-20-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 11:58

Reported

2024-11-25 12:01

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1808-0-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1808-1-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1808-7-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

memory/1808-13-0x0000000003E30000-0x0000000003E40000-memory.dmp

memory/1808-20-0x00000000048E0000-0x00000000048E8000-memory.dmp

memory/1808-23-0x00000000049C0000-0x00000000049C8000-memory.dmp

memory/1808-27-0x0000000004B00000-0x0000000004B08000-memory.dmp

memory/1808-26-0x0000000004980000-0x0000000004988000-memory.dmp

memory/1808-29-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

memory/1808-28-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 54890b304003af6c00c4b1be0689068d
SHA1 1459e0b746988f1166918e7a283b4477ab009024
SHA256 399539102e89d5eaa8a12a5abea85591787e4ceaffb9c8cd0c65cb9d935d3586
SHA512 91a6c2a7a1e59441830514aebcfbc826b0d76ca5c3b07cc94a38c76c051443dfe765359215d02f5a81c9c4edc567120a6edce5d664c13e2690bfc7a775673121

memory/1808-51-0x0000000004B10000-0x0000000004B18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 a2f394a108f08452ade3bb46d4f4b3ab
SHA1 163cba4b72a06edba974c808f9380a965783c2f3
SHA256 55c31b1cceeaaca7fb04da06aa9ab6cd3a7ad7e3b851a5420347022edd702c19
SHA512 69dc86779cd2057debfc2aef2a7a0149c8de0a1f2521127fef6d42780d27deaa44f9e4d059e8478f186187bd830e363ee52f63ef14ac7d778ca9e07b792ddf70

memory/1808-43-0x0000000004900000-0x0000000004908000-memory.dmp

memory/1808-30-0x0000000004B10000-0x0000000004B18000-memory.dmp

memory/1808-76-0x0000000004B10000-0x0000000004B18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 2a80f52aad5f7cfc9a27a505d83d3a76
SHA1 9a8c05c8f525fe9c54a4dc92b6f7797a2e6f390f
SHA256 f2e3a3fbf44b5a018230736c8e6bf1f8818927de1226136bc436158e274001da
SHA512 1643b7d1a93a8af7d571def42f4a4c884d343f36b22cea5bbdd2edd7afb842204d4c43ad46a0f4547a9235315fed6553f59e5267849fc32436b2b7a33540ee08

memory/1808-74-0x0000000004C40000-0x0000000004C48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 18d0aeb9f2ddf60cd90f689569e032cf
SHA1 87a3ee174aaa715eeef608f82ec06b6fc9f36873
SHA256 274ff773b1142c339f2be94821b06586518e5310b8704ebfce315348a4c0b570
SHA512 50aa428b0868f51f037fe0afe9af0e004398d4e7dc423baeb563cbe56ea09e56b3ae260ccdb5f755a008f847812b6978d6b41f2dfc8d801d26db22cff2a95bbc

memory/1808-115-0x00000000047C0000-0x00000000047C8000-memory.dmp

memory/1808-128-0x0000000005000000-0x0000000005008000-memory.dmp

memory/1808-127-0x0000000004880000-0x0000000004888000-memory.dmp

memory/1808-129-0x00000000052B0000-0x00000000052B8000-memory.dmp

memory/1808-130-0x00000000051B0000-0x00000000051B8000-memory.dmp

memory/1808-124-0x0000000004880000-0x0000000004888000-memory.dmp

memory/1808-144-0x00000000047E0000-0x00000000047E8000-memory.dmp

memory/1808-152-0x0000000005020000-0x0000000005028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 853291c0aa2d00d3b8f5df4ca5acb31b
SHA1 45afd8d24cf572fcdaf9dff4e5b07c1f8b8f7937
SHA256 440a1fc796320dbc7b7e9f28131bda353c1b5f3adfd20a71f462e4afa3537fe7
SHA512 b1fdb186c8ef303da855db80f6eca0a50c7b6d3dfee945c12a800e7484eacc154dc575ae0b7f791ecb7cee27a62b0c603af850f729437c88da696996bf35c1b3

memory/1808-167-0x00000000047E0000-0x00000000047E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 0da345ff548f2138ed5c29994eb220f9
SHA1 4f435bf91d4f747ede722f8df3c8a92ddcde9394
SHA256 a038ca2b6dc625b6a5babbe51d77e4e545b6d2f608a595d71660994082353756
SHA512 3ace22f81c248f9892986e1d36e24e68e853c66af100c9b2d4022f47dc8a980ce0febf1e10dd1e58ab24bf92a18c6b5d6406a1c32962a9c72aae2bccaa63670e

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 cff22a2b9ee1c8892ad443d4daf893f4
SHA1 1139c5f368624c25756307dd319223ea5cf41cb1
SHA256 f09c1c3b95c4be379f0b15d5e6f849b4af14d4a3d23fc5ff8f0e6c5930ad3982
SHA512 b492eae2301e4584871bc5456a4d4e10938c378386f8aa6e1c20a4a4cb97da786358fb3c241bb40cc9328ec90d0b7bb7b823fe454d28a7d953ad0935f3c6e147

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 41fc58c752416baa9c1c0f513965bf81
SHA1 4abff7c644c792fda0e1130b6a8ef76427ba2a60
SHA256 fc0949635f1c67136f6bd3efe9d21e239b19156518197b8a448a098c96d80c58
SHA512 ecad31d4742f8696ce66c76c8ac702ddd7504eea738cf075a076c300fce8fb9b0e6a54842a262591763ee80a6005aa905fde1bed4bec649a0087d6c2b122421f

memory/1808-154-0x0000000005150000-0x0000000005158000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 6ec42423ea570b4010582dc6bf7cf38b
SHA1 d04151197c0fc5959de9230bd58c477108cdaf18
SHA256 f894d3515077013379ce56a0549bfeffe36166c1c36214df69504e0f1b8566f5
SHA512 2cbccd525b24035bf0e2a7efe22b2247385e27fe442c524a466d5bb2e00201a22a2187fe7b717bcddf46d299e388edf59e6f7b16099957450496acd68776fbc2

memory/1808-131-0x0000000005020000-0x0000000005028000-memory.dmp

memory/1808-116-0x00000000047E0000-0x00000000047E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d

MD5 534d10b23759bf033c06290996225779
SHA1 e42d289e99d19887cd7fddfd74a03c28f1b3423c
SHA256 c05818eac34fc04781c2664040d9910562a972d66f8c720f8ec081962b86233c
SHA512 b720ef41da05c4daf5be890226a3c50f3a9ebb68dc40357d03f5d2b277d14cef380366a16c4b772de0b360052165daf2d058cc40bc77c1ad181487b68e9fe0ef

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 e4ab27eb0b1d6204313dd1b4bab773f7
SHA1 361e5fee61ae53803fcb9fedd8c17c9ff3d38110
SHA256 ef9d9dc98a260fa5b888a78dcc478cd2bf6a66518cb15a3909bbe67bfa789c35
SHA512 ffdfe98e147bd5db44584f87e91d2c8c43586b48ebd3fe5fc638316bc02e77ab0d1ec051bec52a4c9bf6487b869129470ff74d1cfb285f59629d4accc4eb6660

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 d1c7e909e692573a58b0e75b07c7c458
SHA1 b09ccb0de520f49eb5d0907a6a103084a8f17067
SHA256 d2f0c9fcefbf01e52be23907b63e8f42df72c5017e684c10e600e043d1d501df
SHA512 25ae4c992a09b540f7b0428778905e81f6a32dbfe571679a8b5b7daeae322b51d7204fc1a795063dda8f2e1a0c9c0a2f779ec20edc32b25326228271b3789fc8

memory/1808-66-0x0000000004900000-0x0000000004908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 1d06da831b06db0b2107db40fecc170c
SHA1 9e4ec4ea1237fe267f71ef5bf70868bc9e6c70b9
SHA256 67a3bef64f43b0e6d96dcdfb5adc9dc16c58ffd8a528f832506ccc55432f5b77
SHA512 56ef26c0cac18575f1d9e7d5486ed74188bd710c0591aaf42670c90029eb4fba0f5676f60befc5c3310ecd230139ef295c8b5b120cdad2a289efb8a584201f5b

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 5d6734e830279856de605cb89bbc10f5
SHA1 919bcdc4a6de63b0a4400aac02b0d5d052ea1ab8
SHA256 4eefb47f3add20248716515c3495205879eb10a582e181c07d0421181f30efcb
SHA512 b3148739c263de6c7f521beda00da9b86f390a5c2aa7524952c2b7ccfab08f12ee992cdb4f5fa7437c8334c9e92d0877366565fe6f32fb4dfbaa44c4842b2098

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 64027799f6da9b74777b1a6cf47f4d09
SHA1 262683f9c79cdc9a5e3b512257001adbd39e96c4
SHA256 623417564f277b43ff56d6aacd2cdfede43abf8162170fa3026b710bd6247b80
SHA512 bc6ef6d038c93b12e948b46c0c3ad0663930142e9e6b6a4d3d1886781acf5810668bc1145524edaabafe44f7796b9c654ea2532aca5a5270f101180df4c0df0c

memory/1808-53-0x0000000004C40000-0x0000000004C48000-memory.dmp

memory/1808-21-0x0000000004900000-0x0000000004908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 86adb51f81a1e3360e93755ff5796bd0
SHA1 94a1aef2cfd664018741303323293832b6b994c4
SHA256 ab931d6dabcaa4236b3e4935c047e7071c0368d5be688df5fb1eb5c0cb882c1d
SHA512 6afbedf506f2f24e12ba68662e4369385b1e29f8a82e201464f0de72fdb036ab10055cb056dc2b95882cce11ca290ab034dc46831e151a3b53a5dc58d4f7481f

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 ea8091a1de4fb209d485b5daa43ba415
SHA1 9568215162971b84e1904de1e30f5421d6bba694
SHA256 3febb90f4295d548dd66457b39035d489ae0ae5782cdcf13f4e7f7b7409fdacc
SHA512 c4c39ee2d671f4bf30d47daf4fb9cffa4f912f73ebbd63ac392f2c40a2c7f4fd15756e537a0ac76e221fcc59e42b8e986587594c2bf80b47aea2a292a3c5f762

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 1e3504e3f4627b6ba8d9a71c887f85cf
SHA1 17896b3ba1fce3675d16278abee91bda5cfc4f90
SHA256 748c52034534e30655ff29e22fa05fb24ba8589e028d40afecf2a17c8ef214db
SHA512 df504fe4ed4909f661e90485499d61a535e7e82ee4733a201d94e7fdfbd8e259f607b876666b73b795c66f6a9dbefcb20441fcb512f253c0cf7fddc9ebff5b0c

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 199439bd7a897c425c9186ed27653810
SHA1 05120bde847e2febda0d56b67aca9033c7ba93aa
SHA256 df58c9cdc981f7680c210a6b7c592beb8c2f2a5ee0066e3d17dfa2284f3d2fbe
SHA512 800ad3805bc1b6dc3e7b3f0a7595a4a6bb5ee8de807bc273d8a94eb89a3e6934ee71e62c975732fed1790db0de897e9d06e2254c6c877bd2800a8425ee05e508

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 2c9bbdf80306f46b3ad824d643cf0ccc
SHA1 574b56ee00472ef19b53d212b23d70c9ffd01786
SHA256 1ed5aae93f796ccae1f1160142fbaea0b4356474e2fe4e5c6ed08d7f51a695fb
SHA512 f37c1d2f7746715bb7bf41a10c3c1ba81f619d86d01b159426e65fd2ea0b3c06a471156a695986bbc82f484b20f2812d2f3d6a41d4016ced6b69f521677a922c

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 0cc5201e15c594cdda2d76b8133acc78
SHA1 ca7e254ecdb50802b7b95a6406542fc50e90e1a6
SHA256 288b4625a23424060fde4662e769bb5f61475cca2e26e3e9e40408023d3b383a
SHA512 dd9837fd0d6d2f3715e91033a103c3b37d663d25e8ac7d88a31f9bd9ce7c6389805850b386dda50d246c63b3cd11ee34f4733c4d3c9d5c12350f953494596271

C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

MD5 e7f6610e84289a048bf523f1493ebe4d
SHA1 30ecd3c3fa788069b2b1de9e3a4a5eab988ef56d
SHA256 04dc0791cad8670485e560be6a9c8e03198ebd26cc33901815e6e0295b79ba83
SHA512 87f8a9fe3288e17d01cad54c19baff94de0b47186437a2957351525d6cf198b2070b1b6aba891455260233249bbc23ea9c40223e98f67490f57b33b30ff4af3a

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 1324ae2dc5e25fe2c9ad09aaa4556445
SHA1 b3a4ce159c0fb15969e58bf4553aaae1b14f2c3d
SHA256 7c314fd9b99b9eb50e04df651d57a6f3e273e2a5f963956927d1087983187d95
SHA512 8b4ee0d3d1f8f002f553302e288d35ea4d9eb5c5cb10235e3ed415b59ef1b88b600d9a719e59ff0f7008659eadd2e44362c32f55c8353df77c3d4dac7de75083

memory/1808-505-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d.jfm

MD5 b8d32f99a4f53e7e70a43fb54dd13a13
SHA1 310842abbc4c7613c8f8a8a1b46a9011ed1efb60
SHA256 687c272cf043f432fddf7270cb037bce4e8c58109a93cbdd580a8584786221a1
SHA512 cd689c805d47587b3c0325dead19bb946d4637860dc1f87894757c9a4359ee77e3e6c1896abac4bd91857a8c827c63f1337e82c560935263ab2db3a3b5e659eb