Malware Analysis Report

2025-08-05 09:59

Sample ID 240403-x825aaah43
Target a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118
SHA256 e0653dc038521d02b48f6e69f3b62836d87eb4b4305e6a5f4540ad72b7cb5103
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e0653dc038521d02b48f6e69f3b62836d87eb4b4305e6a5f4540ad72b7cb5103

Threat Level: Shows suspicious behavior

The file a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:32

Reported

2024-04-03 19:34

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 52.101.42.14:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.42.14:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 52.101.194.4:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 natalya.videolan.org udp
FR 213.36.253.119:25 natalya.videolan.org tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 adobe.mail.protection.outlook.com udp
US 8.8.8.8:53 adobe.mail.protection.outlook.com udp
US 52.101.10.12:25 adobe.mail.protection.outlook.com tcp
US 52.101.8.46:25 adobe.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 domain-com.mail.protection.outlook.com udp
US 52.101.11.2:25 domain-com.mail.protection.outlook.com tcp

Files

memory/2032-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/2032-13-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.cfg

MD5 26afbe0465cd2bd92812d6d0e7e54412
SHA1 8de1830535c8ccc7748268587f5de15e52c38b94
SHA256 301fb91df2be29d5e77d085c6a016b83b735a06a019d4229474328b7461a8e0c
SHA512 703bcd559d1f02d6c3fb696111811baff843d2809e56ff481d19405f9fb71fc3a42a597717921a9c177dd0899b15f51296d029e75fa3001b3ce307f17509d761

C:\Windows\outlook.cfg

MD5 b191c4fdf8d4fe2d5878a30754abcb5d
SHA1 0e25396f2f77453d8380ea2f11c01a7d77c45915
SHA256 2191d0304ea522767d36df2ec3d6cb3ed1ebf78b2ead2e5d963179ff995105a0
SHA512 85f1335284257318336de11e7590af2d05f596bbe67ebbcad907d556259dee0a5ebf5b86a98d299f0678b3bf087f672ad9bce986786a3eeeec829bc5ce2a7146

memory/2084-38-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2084-52-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2084-64-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2084-67-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2084-69-0x0000000000400000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:32

Reported

2024-04-03 19:34

Platform

win10v2004-20240226-en

Max time kernel

99s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\crc32.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\outlook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 29868

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 smtp.google.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 nokia-com.mail.protection.outlook.com udp
US 8.8.8.8:53 tcp
BE 74.125.206.27:25 smtp.google.com tcp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
NL 52.101.73.16:25 nokia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 incoming-relays.illinois.edu udp
US 148.163.135.28:25 incoming-relays.illinois.edu tcp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 letterbox.kde.org udp
GB 46.43.1.242:25 letterbox.kde.org tcp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp

Files

memory/3440-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/3440-18-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.cfg

MD5 12237054cc8238d84b88008e1c1006e2
SHA1 65d7b196d91bae9ce7ab22e1dbacbd5c1b1948a3
SHA256 96acb3266157d6bb005803dc626c192ab8248db4d8d233de8b716d21bc552ab7
SHA512 74172dbae4452eac43390eecebc0888ee1b586df23252b372e85106f999004b12796221b31cfb7ce2a712dd9fe93be8529276dc97159d7afb149e800dc5cfdb9

C:\Windows\outlook.cfg

MD5 0aaa44531a2e47cbfa8111c6aacdffcd
SHA1 b1b8f2d32fd4413a80add3dbf931c8ee3c60e53c
SHA256 48af9029977a0db8ba033edf2bea30496473f8ca065cdb742591f630d2d6ccdc
SHA512 26bd225853ac962e59bea6aff56733a7efc1f632bda128e8460481563254ec117982897cf0685276e40d5fcc3632e59e1319f1dcc57317ec80cf8a4a4d141fb3

memory/4388-102-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\outlook.cfg

MD5 d2093a543cecc7ce23df422c9baa662a
SHA1 d4006a024e839dc6c405865a99031e1faf4aa91a
SHA256 3108a746201a9c58797d2ede4c27879a806f73024dbff9a47b38a1ab2738d04e
SHA512 51a08dded07a7cff6b7969b79cafe3ce5533aa90450c56e75101061dd3a74a173e8574dccec13fc9f7d80790d3e6110d8367f50079b4e6f3a668f27e651ca6b9

memory/4388-118-0x0000000000400000-0x000000000047E000-memory.dmp