Malware Analysis Report

2025-01-02 15:33

Sample ID 241129-r3m6aavqdm
Target b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118
SHA256 2b011ffe49624f0ea4c5640fb0c0c1173d03c10254df6d84191541182998dc75
Tags
pandastealer discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b011ffe49624f0ea4c5640fb0c0c1173d03c10254df6d84191541182998dc75

Threat Level: Known bad

The file b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pandastealer discovery stealer

Panda Stealer payload

Pandastealer family

PandaStealer

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 14:43

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Pandastealer family

pandastealer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 14:43

Reported

2024-11-29 14:45

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"

Network

N/A

Files

memory/2032-0-0x0000000036EF0000-0x0000000036F00000-memory.dmp

memory/2032-4-0x00000000003A0000-0x0000000000B0A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Office2007.cjstyles

MD5 6c81f596bfda0b754e3514a46ee48119
SHA1 bc7f447ca8b41beabf26f9556c58292cf8774d7d
SHA256 fc91fbb7d3e77ebc949873d514679be783c100b352d6737c25d1ef47550145bb
SHA512 b8c9789cb3062a5d670b199e586f6bb126c14da450e2bf874d0f1f36b043db61db77542aca411d5bea4a593564405d81520160043e7fbbea3d0d5b63f991dd15

memory/2032-5-0x0000000076010000-0x00000000760AD000-memory.dmp

memory/2032-6-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2032-7-0x0000000076E90000-0x0000000076EE7000-memory.dmp

memory/2032-8-0x00000000760E0000-0x00000000762F5000-memory.dmp

memory/2032-10-0x0000000076F01000-0x0000000076F02000-memory.dmp

memory/2032-13-0x0000000076EF0000-0x0000000077000000-memory.dmp

memory/2032-12-0x0000000076EF0000-0x0000000077000000-memory.dmp

memory/2032-11-0x0000000076EF0000-0x0000000077000000-memory.dmp

memory/2032-9-0x0000000075370000-0x0000000075FBA000-memory.dmp

memory/2032-21-0x00000000003A0000-0x0000000000B0A000-memory.dmp

memory/2032-20-0x0000000076EF0000-0x0000000077000000-memory.dmp

memory/2032-19-0x0000000074D00000-0x0000000074D76000-memory.dmp

memory/2032-18-0x0000000074DD0000-0x0000000074E02000-memory.dmp

memory/2032-17-0x0000000077360000-0x000000007738A000-memory.dmp

memory/2032-16-0x0000000074E10000-0x0000000074E61000-memory.dmp

memory/2032-15-0x00000000764F0000-0x000000007657F000-memory.dmp

memory/2032-14-0x0000000075210000-0x000000007536C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 14:43

Reported

2024-11-29 14:45

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4056-0-0x00000000003A0000-0x0000000000B0A000-memory.dmp

memory/4056-1-0x0000000036570000-0x0000000036580000-memory.dmp

memory/4056-2-0x0000000076580000-0x0000000076581000-memory.dmp

memory/4056-3-0x0000000076560000-0x0000000076650000-memory.dmp

memory/4056-4-0x0000000076560000-0x0000000076650000-memory.dmp

memory/4056-9-0x0000000076280000-0x00000000762FA000-memory.dmp

memory/4056-11-0x0000000076280000-0x00000000762FA000-memory.dmp

memory/4056-23-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-27-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-28-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-35-0x0000000077380000-0x000000007745C000-memory.dmp

memory/4056-66-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-71-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-70-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-69-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-65-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-64-0x0000000077240000-0x0000000077323000-memory.dmp

memory/4056-63-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-62-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-61-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-60-0x0000000075350000-0x00000000753C4000-memory.dmp

memory/4056-56-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-52-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-55-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-54-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-53-0x0000000075350000-0x00000000753C4000-memory.dmp

memory/4056-47-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-50-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-49-0x0000000075350000-0x00000000753C4000-memory.dmp

memory/4056-48-0x0000000077660000-0x0000000077685000-memory.dmp

memory/4056-43-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-44-0x0000000075350000-0x00000000753C4000-memory.dmp

memory/4056-42-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-41-0x0000000077240000-0x0000000077323000-memory.dmp

memory/4056-40-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-34-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-33-0x0000000077240000-0x0000000077323000-memory.dmp

memory/4056-32-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-31-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-30-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-29-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-68-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-67-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-59-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-58-0x0000000077380000-0x000000007745C000-memory.dmp

memory/4056-57-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-51-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-46-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-45-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-39-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-38-0x0000000076300000-0x00000000763AF000-memory.dmp

memory/4056-37-0x0000000075350000-0x00000000753C4000-memory.dmp

memory/4056-36-0x00000000758C0000-0x0000000075E73000-memory.dmp

memory/4056-26-0x0000000077660000-0x0000000077685000-memory.dmp

memory/4056-25-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-24-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-22-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-21-0x0000000077660000-0x0000000077685000-memory.dmp

memory/4056-20-0x0000000076280000-0x00000000762FA000-memory.dmp

memory/4056-19-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-17-0x0000000077660000-0x0000000077685000-memory.dmp

memory/4056-16-0x0000000076280000-0x00000000762FA000-memory.dmp

memory/4056-14-0x00000000741F0000-0x000000007426A000-memory.dmp

memory/4056-13-0x0000000074D10000-0x0000000074D3C000-memory.dmp

memory/4056-12-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-18-0x0000000074DC0000-0x0000000074E4D000-memory.dmp

memory/4056-15-0x0000000076280000-0x00000000762FA000-memory.dmp

memory/4056-10-0x00000000741F0000-0x000000007426A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Office2007.cjstyles

MD5 6c81f596bfda0b754e3514a46ee48119
SHA1 bc7f447ca8b41beabf26f9556c58292cf8774d7d
SHA256 fc91fbb7d3e77ebc949873d514679be783c100b352d6737c25d1ef47550145bb
SHA512 b8c9789cb3062a5d670b199e586f6bb126c14da450e2bf874d0f1f36b043db61db77542aca411d5bea4a593564405d81520160043e7fbbea3d0d5b63f991dd15

memory/4056-101-0x00000000003A0000-0x0000000000B0A000-memory.dmp

memory/4056-102-0x0000000076560000-0x0000000076650000-memory.dmp

memory/4056-103-0x0000000076560000-0x0000000076650000-memory.dmp