Malware Analysis Report

2025-01-18 18:18

Sample ID 241215-znl9faykhk
Target f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118
SHA256 646a0765bd939d1bee2df956a6c8fea9db95dff1290ef334b7b58f72b6905199
Tags
locky discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

646a0765bd939d1bee2df956a6c8fea9db95dff1290ef334b7b58f72b6905199

Threat Level: Known bad

The file f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

locky discovery ransomware

Locky family

Locky

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 20:51

Reported

2024-12-15 20:54

Platform

win7-20240903-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe"

Network

Country Destination Domain Proto
KZ 78.40.108.39:80 tcp
RU 188.127.231.116:80 188.127.231.116 tcp
FR 51.255.107.8:80 tcp
FR 51.254.181.122:80 tcp
FR 51.255.107.10:80 tcp
US 8.8.8.8:53 orvfytfvqdghqo.us udp
US 8.8.8.8:53 jbauswiobun.nl udp
US 8.8.8.8:53 lcisjvfmg.be udp
US 8.8.8.8:53 uaderxq.in udp
US 8.8.8.8:53 iftygcogvpeiehw.ru udp
US 8.8.8.8:53 rdhpgvoljpcds.de udp
US 8.8.8.8:53 tepqrloarom.be udp
US 8.8.8.8:53 onxinicb.nl udp
KZ 78.40.108.39:80 tcp

Files

memory/2324-0-0x00000000000E7000-0x00000000000E8000-memory.dmp

memory/2324-1-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-2-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-4-0x00000000000E7000-0x00000000000E8000-memory.dmp

memory/2324-5-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-8-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-11-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-14-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-16-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-18-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-19-0x00000000000D0000-0x0000000000107000-memory.dmp

memory/2324-20-0x00000000000D0000-0x0000000000107000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 20:51

Reported

2024-12-15 20:54

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f5b32a0bc9876801691eaa8785f4e893_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FR 51.255.107.8:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KZ 78.40.108.39:80 tcp
RU 188.127.231.116:80 188.127.231.116 tcp
FR 51.255.107.10:80 tcp
US 8.8.8.8:53 116.231.127.188.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FR 51.254.181.122:80 tcp
US 8.8.8.8:53 orvfytfvqdghqo.us udp
US 8.8.8.8:53 jbauswiobun.nl udp
US 8.8.8.8:53 lcisjvfmg.be udp
US 8.8.8.8:53 uaderxq.in udp
US 8.8.8.8:53 iftygcogvpeiehw.ru udp
US 8.8.8.8:53 rdhpgvoljpcds.de udp
US 8.8.8.8:53 tepqrloarom.be udp
US 8.8.8.8:53 onxinicb.nl udp
FR 51.255.107.8:80 tcp

Files

memory/4680-1-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-0-0x0000000000327000-0x0000000000328000-memory.dmp

memory/4680-3-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-4-0x0000000000327000-0x0000000000328000-memory.dmp

memory/4680-5-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-8-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-10-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-13-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-15-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-17-0x0000000000310000-0x0000000000347000-memory.dmp

memory/4680-19-0x0000000000310000-0x0000000000347000-memory.dmp