Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qhqv1ahe32
Target b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118
SHA256 99e865dc90658cdd73de624c8eeda31580a5e11285a4e280a384cd7ccabf2ccf
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

99e865dc90658cdd73de624c8eeda31580a5e11285a4e280a384cd7ccabf2ccf

Threat Level: Shows suspicious behavior

The file b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:15

Reported

2024-04-04 13:18

Platform

win7-20240221-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1924 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1924 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1924 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2428 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sunray1975.zapto.org udp

Files

memory/1924-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1924-1-0x0000000000400000-0x0000000000601000-memory.dmp

\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 6e7f8a44aac68dc3eca425222e88a762
SHA1 2b76295e6fa9a22813b0fca4ae386a93f044bd76
SHA256 d8683655c8a8b3f9e5735d3e167fbb4ca352915a8e2c555504d9a1504ce48194
SHA512 d05eb9bf15bde7cbac93fcceef54c93bd64b8836964c7cbcda00e2b81644105b50cc6688139f9b661ce1b4d765369965e9d7696d3e5db5edb9ff9fd7bbbe62de

memory/1924-5-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2428-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1924-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/1924-30-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2556-31-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2556-49-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2428-50-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2556-51-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/1740-53-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1740-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1740-57-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2428-59-0x0000000000400000-0x0000000000601000-memory.dmp

memory/1740-60-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2556-62-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1740-63-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1740-64-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1740-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1740-66-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1740-69-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1740-70-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:15

Reported

2024-04-04 13:18

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3124 set thread context of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2184 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2184 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2184 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2184 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2184 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 3124 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3124 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3124 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3124 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3124 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/2184-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2184-1-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2184-2-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 fd92f32f90f5d33214c34c3b098a7cd6
SHA1 ceee08bd0a351d1ef3ccf1c654f233a1a74dc6c5
SHA256 991e64ce263d41e0c1caeefe4e688ed6761074f05da0152c14e29a1fa0f94e50
SHA512 0c73b6e2c414142f044b5987b25d4bf4b54cc9559c033c2428b328242e4daa6f5e279b19242b58b383a086570981249ce50223a26bb94544171b192cc7e36c44

memory/3124-12-0x0000000000780000-0x0000000000781000-memory.dmp

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/2184-24-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2024-25-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3124-28-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2024-29-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/4416-30-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/3124-33-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4416-34-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4416-32-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4416-35-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4416-37-0x0000000002100000-0x0000000002101000-memory.dmp

memory/2024-36-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4416-39-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4416-41-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4416-44-0x0000000002100000-0x0000000002101000-memory.dmp