Malware Analysis Report

2025-01-02 15:33

Sample ID 241203-ks623stmdn
Target bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118
SHA256 f53aceec2dd2323f9ef02ba077f140f2c968762bde3e6c19be892ad09697f3cc
Tags
pandastealer discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f53aceec2dd2323f9ef02ba077f140f2c968762bde3e6c19be892ad09697f3cc

Threat Level: Known bad

The file bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pandastealer discovery stealer

Panda Stealer payload

PandaStealer

Pandastealer family

Loads dropped DLL

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 08:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 08:52

Reported

2024-12-03 08:55

Platform

win7-20241023-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe"

Network

N/A

Files

memory/2504-0-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-1-0x0000000000400000-0x0000000002CE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\CDIResData\CDIRes.dll

MD5 2adaa6733c5cf480d52824b977772dbe
SHA1 88b4dd86e812c0327e9cc8ea6344af0b91cf6a74
SHA256 498aef2e80850094b09578cc54ce0a4a79d8881229c28ba5ab4c888eacb71c71
SHA512 0e27bf90bb9f467e94dd8eb76131ae29049de9df8f3070446053d2164d1d7f2b9b41474b27349489e126365e9c34850d9a42c4fad0f63b23ad46f075a8d6d579

C:\Users\Admin\AppData\Local\Temp\Script.ini

MD5 00ce10a19fdfa5b5cfba4f5d8e371683
SHA1 f23998163617df6f42a0c3ea730cbbb869cfc410
SHA256 046b66aed0f0673433cf4ac68003488245eac2748b402f1f4b062fabc2d34af5
SHA512 cfb914f7dc56ba4d8eab964b975211bf8eb7d6a640d28885e7f90438a5cd70a3dc6a2616187c0bdea59a580ff5680dec36239e620a1f0acc4d3ba296267deae1

memory/2504-286-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-289-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-288-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2504-287-0x0000000077500000-0x000000007759D000-memory.dmp

memory/2504-291-0x0000000075210000-0x0000000075261000-memory.dmp

memory/2504-290-0x0000000075CF0000-0x000000007693A000-memory.dmp

memory/2504-293-0x0000000076AD0000-0x0000000076B5F000-memory.dmp

memory/2504-294-0x00000000771D0000-0x00000000771FA000-memory.dmp

memory/2504-295-0x0000000075150000-0x0000000075182000-memory.dmp

memory/2504-292-0x00000000776C0000-0x000000007781C000-memory.dmp

memory/2504-296-0x00000000750D0000-0x0000000075146000-memory.dmp

memory/2504-297-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/2504-301-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2504-300-0x0000000075510000-0x0000000075519000-memory.dmp

memory/2504-298-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-303-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-302-0x0000000076B60000-0x0000000076BDB000-memory.dmp

memory/2504-306-0x0000000075210000-0x0000000075261000-memory.dmp

memory/2504-311-0x0000000075150000-0x0000000075182000-memory.dmp

memory/2504-309-0x0000000076AD0000-0x0000000076B5F000-memory.dmp

memory/2504-308-0x00000000776C0000-0x000000007781C000-memory.dmp

memory/2504-307-0x00000000754D0000-0x00000000754EC000-memory.dmp

memory/2504-305-0x0000000075CF0000-0x000000007693A000-memory.dmp

memory/2504-304-0x0000000075270000-0x000000007540E000-memory.dmp

memory/2504-299-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-315-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/2504-314-0x00000000750D0000-0x0000000075146000-memory.dmp

memory/2504-313-0x00000000770A0000-0x000000007716C000-memory.dmp

memory/2504-327-0x00000000770A0000-0x000000007716C000-memory.dmp

memory/2504-326-0x0000000075150000-0x0000000075182000-memory.dmp

memory/2504-324-0x0000000076AD0000-0x0000000076B5F000-memory.dmp

memory/2504-323-0x0000000075210000-0x0000000075261000-memory.dmp

memory/2504-322-0x0000000075270000-0x000000007540E000-memory.dmp

memory/2504-321-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-320-0x0000000076B60000-0x0000000076BDB000-memory.dmp

memory/2504-319-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2504-318-0x0000000077500000-0x000000007759D000-memory.dmp

memory/2504-317-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-330-0x0000000075510000-0x0000000075519000-memory.dmp

memory/2504-331-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2504-332-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-337-0x00000000770A0000-0x000000007716C000-memory.dmp

memory/2504-336-0x0000000075150000-0x0000000075182000-memory.dmp

memory/2504-334-0x0000000075210000-0x0000000075261000-memory.dmp

memory/2504-333-0x0000000075270000-0x000000007540E000-memory.dmp

memory/2504-339-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-340-0x0000000075510000-0x0000000075519000-memory.dmp

memory/2504-354-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/2504-353-0x00000000750D0000-0x0000000075146000-memory.dmp

memory/2504-352-0x00000000770A0000-0x000000007716C000-memory.dmp

memory/2504-350-0x0000000075150000-0x0000000075182000-memory.dmp

memory/2504-348-0x0000000076AD0000-0x0000000076B5F000-memory.dmp

memory/2504-347-0x00000000754D0000-0x00000000754EC000-memory.dmp

memory/2504-346-0x0000000075210000-0x0000000075261000-memory.dmp

memory/2504-345-0x0000000075270000-0x000000007540E000-memory.dmp

memory/2504-344-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-343-0x0000000076B60000-0x0000000076BDB000-memory.dmp

memory/2504-342-0x0000000076DF0000-0x0000000076E90000-memory.dmp

memory/2504-341-0x0000000077500000-0x000000007759D000-memory.dmp

memory/2504-359-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/2504-358-0x00000000750D0000-0x0000000075146000-memory.dmp

memory/2504-357-0x0000000075C50000-0x0000000075CA7000-memory.dmp

memory/2504-328-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-316-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-539-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/2504-782-0x0000000000400000-0x0000000002CE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 08:52

Reported

2024-12-03 08:55

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bca11b7e7f05b428e5d096fced90b03b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 33.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1940-1-0x0000000002E80000-0x0000000002E82000-memory.dmp

memory/1940-0-0x0000000000400000-0x0000000002CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDIResData\CDIRes.dll

MD5 2adaa6733c5cf480d52824b977772dbe
SHA1 88b4dd86e812c0327e9cc8ea6344af0b91cf6a74
SHA256 498aef2e80850094b09578cc54ce0a4a79d8881229c28ba5ab4c888eacb71c71
SHA512 0e27bf90bb9f467e94dd8eb76131ae29049de9df8f3070446053d2164d1d7f2b9b41474b27349489e126365e9c34850d9a42c4fad0f63b23ad46f075a8d6d579

C:\Users\Admin\AppData\Local\Temp\Script.ini

MD5 00ce10a19fdfa5b5cfba4f5d8e371683
SHA1 f23998163617df6f42a0c3ea730cbbb869cfc410
SHA256 046b66aed0f0673433cf4ac68003488245eac2748b402f1f4b062fabc2d34af5
SHA512 cfb914f7dc56ba4d8eab964b975211bf8eb7d6a640d28885e7f90438a5cd70a3dc6a2616187c0bdea59a580ff5680dec36239e620a1f0acc4d3ba296267deae1

memory/1940-289-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-288-0x0000000076670000-0x00000000766EA000-memory.dmp

memory/1940-290-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-296-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-287-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-295-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-299-0x0000000076670000-0x00000000766EA000-memory.dmp

memory/1940-292-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-291-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-294-0x0000000075780000-0x00000000757AC000-memory.dmp

memory/1940-293-0x0000000076670000-0x00000000766EA000-memory.dmp

memory/1940-302-0x0000000076670000-0x00000000766EA000-memory.dmp

memory/1940-303-0x0000000075780000-0x00000000757AC000-memory.dmp

memory/1940-304-0x0000000076EF0000-0x0000000076F15000-memory.dmp

memory/1940-300-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-298-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-297-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-309-0x0000000076EF0000-0x0000000076F15000-memory.dmp

memory/1940-308-0x0000000075780000-0x00000000757AC000-memory.dmp

memory/1940-307-0x0000000076670000-0x00000000766EA000-memory.dmp

memory/1940-301-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-305-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-306-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-311-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-310-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-315-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-312-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-314-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-313-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-316-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-318-0x0000000076EF0000-0x0000000076F15000-memory.dmp

memory/1940-319-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-321-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-317-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-320-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-324-0x00000000762A0000-0x000000007634F000-memory.dmp

memory/1940-322-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-323-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-325-0x0000000077190000-0x0000000077743000-memory.dmp

memory/1940-330-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-329-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-328-0x0000000075780000-0x00000000757AC000-memory.dmp

memory/1940-327-0x0000000076020000-0x0000000076103000-memory.dmp

memory/1940-334-0x00000000762A0000-0x000000007634F000-memory.dmp

memory/1940-326-0x0000000075830000-0x0000000075A40000-memory.dmp

memory/1940-335-0x0000000077190000-0x0000000077743000-memory.dmp

memory/1940-331-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-341-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-344-0x00000000762A0000-0x000000007634F000-memory.dmp

memory/1940-348-0x0000000010000000-0x00000000101C0000-memory.dmp

memory/1940-342-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-347-0x0000000075700000-0x0000000075774000-memory.dmp

memory/1940-351-0x00000000762A0000-0x000000007634F000-memory.dmp

memory/1940-354-0x0000000075700000-0x0000000075774000-memory.dmp

memory/1940-353-0x0000000075830000-0x0000000075A40000-memory.dmp

memory/1940-346-0x0000000075830000-0x0000000075A40000-memory.dmp

memory/1940-345-0x0000000077190000-0x0000000077743000-memory.dmp

memory/1940-332-0x0000000000400000-0x0000000002CE0000-memory.dmp

memory/1940-340-0x0000000075640000-0x00000000756BA000-memory.dmp

memory/1940-339-0x0000000075700000-0x0000000075774000-memory.dmp

memory/1940-338-0x0000000075780000-0x00000000757AC000-memory.dmp

memory/1940-337-0x0000000076020000-0x0000000076103000-memory.dmp

memory/1940-336-0x0000000075830000-0x0000000075A40000-memory.dmp

memory/1940-333-0x0000000075B90000-0x0000000075C6C000-memory.dmp

memory/1940-457-0x0000000002E80000-0x0000000002E82000-memory.dmp

memory/1940-617-0x0000000000400000-0x0000000002CE0000-memory.dmp