Malware Analysis Report

2025-01-22 23:09

Sample ID 241216-exwh9avqer
Target f744f2400e280cbfa73e9d38204228c0_JaffaCakes118
SHA256 8bd7d725ea0970a70e444fc5963b093a0d1e0e5d8aa433f23a1ca1267bdc7efc
Tags
banload discovery downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bd7d725ea0970a70e444fc5963b093a0d1e0e5d8aa433f23a1ca1267bdc7efc

Threat Level: Known bad

The file f744f2400e280cbfa73e9d38204228c0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops startup file

Checks BIOS information in registry

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

NTFS ADS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 04:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 04:19

Reported

2024-12-16 04:22

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5} C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ = "DAO.Index.36" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ = "%CommonProgramFiles(x86)%\\Microsoft Shared\\DAO\\dao360.dll" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Class = "dao.IndexClass" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID\ = "DAO.Index.36" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:B81F2E31 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\TEMP:B81F2E31 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 denge.batcave.net udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 udp

Files

memory/2092-8-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-7-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-0-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-19-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-20-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-23-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-27-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2092-21-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-18-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-17-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-15-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-22-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-28-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-29-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-30-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-32-0x00000000028F0000-0x0000000002AFC000-memory.dmp

memory/2092-35-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/2092-46-0x0000000000400000-0x0000000000A74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 04:19

Reported

2024-12-16 04:22

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5} C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Class = "dao.IndexClass" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID\ = "DAO.Index.36" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ = "DAO.Index.36" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:B81F2E31 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
File opened for modification C:\ProgramData\TEMP:B81F2E31 C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 denge.batcave.net udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 61.43.176.185.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp
BG 185.176.43.61:80 denge.batcave.net tcp
US 8.8.8.8:53 dayriyzyith.comeze.com udp

Files

memory/3164-0-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-2-0x0000000002C60000-0x0000000002E6C000-memory.dmp

memory/3164-9-0x0000000002C60000-0x0000000002E6C000-memory.dmp

memory/3164-16-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-19-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-17-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-20-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-21-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-22-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-23-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-24-0x0000000002C60000-0x0000000002E6C000-memory.dmp

memory/3164-28-0x0000000002C60000-0x0000000002E6C000-memory.dmp

memory/3164-31-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-32-0x0000000002C60000-0x0000000002E6C000-memory.dmp

memory/3164-35-0x0000000000400000-0x0000000000A74000-memory.dmp

memory/3164-42-0x0000000000400000-0x0000000000A74000-memory.dmp