Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-xesnrahd3y
Target a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118
SHA256 0af60ba74492baa301258fb783bdd28b2b9b0594985f0eefd2aea353082bd18c
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0af60ba74492baa301258fb783bdd28b2b9b0594985f0eefd2aea353082bd18c

Threat Level: Shows suspicious behavior

The file a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:46

Reported

2024-04-03 18:48

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 52.101.40.6:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.9.14:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 52.101.194.17:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 natalya.videolan.org udp
FR 213.36.253.119:25 natalya.videolan.org tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 8.8.8.8:53 adobe.mail.protection.outlook.com udp
US 8.8.8.8:53 adobe.mail.protection.outlook.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 52.101.8.46:25 adobe.mail.protection.outlook.com tcp
US 52.101.9.0:25 adobe.mail.protection.outlook.com tcp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp

Files

memory/1712-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/1712-15-0x0000000000400000-0x000000000040C000-memory.dmp

memory/852-40-0x0000000000400000-0x000000000047E000-memory.dmp

memory/852-54-0x0000000000400000-0x000000000047E000-memory.dmp

memory/852-66-0x0000000000400000-0x000000000047E000-memory.dmp

memory/852-70-0x0000000000400000-0x000000000047E000-memory.dmp

memory/852-71-0x0000000000400000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:46

Reported

2024-04-03 18:49

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\crc32.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\outlook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 39664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4016 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 209.184.56.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
US 8.8.8.8:53 smtp.google.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
BE 108.177.15.27:25 smtp.google.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 letterbox.kde.org udp
US 8.8.8.8:53 incoming-relays.illinois.edu udp
US 8.8.8.8:53 nokia-com.mail.protection.outlook.com udp
GB 46.43.1.242:25 letterbox.kde.org tcp
US 148.163.135.28:25 incoming-relays.illinois.edu tcp
IE 52.101.68.36:25 nokia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4908-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/4908-8-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2392-19-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\outlook.cfg

MD5 1b791a9deb6baa82865c97051064d29b
SHA1 0b8158c8fba3bff48214109c05a83fb0441ec14c
SHA256 6b41b33f76fe9ca2e5d9c25b5da32dc66eac89eceb46f227f6794db400fe40bc
SHA512 5dc78f4107602291018baf427e54b7d18a9fc0f7d577ccf828e17ca791b15f1c2440a7b32505abae829caeb1e8730880a5f3209ac97c8d1bdbe38deaa643b04f

C:\Windows\outlook.cfg

MD5 c82022d76bfb8965c1b3b3cf9ccd68a4
SHA1 948c73c98c4a0d8ce550ed595c499f4dc91a68a4
SHA256 89f4b501f7f9ca8d9ed2c2ce8beb31cf95a0ba0a8fdcce98146b433832f042e1
SHA512 596e85a7cb62f8feccdd9423eadbdf79d9077eb5a7fec8837bc44339b739c86636ce431720519f8ca3e0fd95b4325ff0d8394eea90a30f79a7a862dfcf8f313c

C:\Windows\outlook.cfg

MD5 02096ea090aecdb16b13da71c8eb1198
SHA1 260a658884cd0c1fe0d01b8b0913655535489561
SHA256 8de50c81774b01171d15f54bcde216d9fe78861cf5697fc73b10307dd6b72d17
SHA512 b4cbe17d740cf47542d82c273faedb9339d4d2e404779320ea2a62e838237353610a19509f48179ff97505ffc45b0fd5ce4b17d3b6888de949b0aa3eb0e0c28e

C:\Windows\outlook.cfg

MD5 ab335f7c69727d9028e4c5c3c5960489
SHA1 86ed5a6ab4816538bf29c16b964530f778421bc1
SHA256 6285c41eeb4ba18be803af2f800ee74963a304e717a55a50147d80568c4db58d
SHA512 f2ddc3e06f2409d1e1f1e96328c09e7b0f1efd858f0a1b891e9aafae322f565a4239c3f32db5f9f17d0e5c33098af0bdea3ba0968ffd0d62b47ef90177990e40

memory/2392-103-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\outlook.cfg

MD5 323c82a0a7326e718a9460e82310a00f
SHA1 780c63b2928ef6c56890298b79a37ac06edc6a20
SHA256 95ec3e379a36e5062ec46a2c40a30a3fbd952f3083d041502e75cb2e5147921f
SHA512 fa2381d7f26b9e46b350ef8719a2c9a8e8965eab7d509d514cca6b3842606e51814537dee8cfea0d63ff6af9aca6343e75a6ef59d9d2f2b509e36fa068a15631

memory/2392-124-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2392-125-0x0000000000400000-0x000000000047E000-memory.dmp