Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qn2jpahf53
Target b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118
SHA256 3780292d1653db6c4e73f5be22a2e19d23c9b8063f4565ef1e7c9dfe57dd48aa
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3780292d1653db6c4e73f5be22a2e19d23c9b8063f4565ef1e7c9dfe57dd48aa

Threat Level: Shows suspicious behavior

The file b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:25

Reported

2024-04-04 13:27

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon13.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\bugMAKER.bat

Network

N/A

Files

C:\Windows\bugMAKER.bat

MD5 72677309d56dd6de3ece50dac5df4f71
SHA1 70d5d9a0085c639f58b2fc9416244b15474bd967
SHA256 80a9810ab81f65263ecf6785bcf58231d08bc486b8ceaa9368b32769a80b4d00
SHA512 a3b69658985e8908c184d6fc9a970371c01e5b21def10f757e9a687ba496d7f118be4a6a0f6a7bdf975406c065c4e2738ac2ac1ec1c23ffabc94e11649265ece

memory/2960-62-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2804-67-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:25

Reported

2024-04-04 13:27

Platform

win10v2004-20240226-en

Max time kernel

115s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b97a6d46f0bdb4a4f0c5619cb93a1f84_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 19.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Windows\bugMAKER.bat

MD5 72677309d56dd6de3ece50dac5df4f71
SHA1 70d5d9a0085c639f58b2fc9416244b15474bd967
SHA256 80a9810ab81f65263ecf6785bcf58231d08bc486b8ceaa9368b32769a80b4d00
SHA512 a3b69658985e8908c184d6fc9a970371c01e5b21def10f757e9a687ba496d7f118be4a6a0f6a7bdf975406c065c4e2738ac2ac1ec1c23ffabc94e11649265ece

memory/1496-24-0x0000000000400000-0x000000000042D000-memory.dmp