Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qpp72sha3y
Target b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118
SHA256 102473af3df3e3a3af680d4bd00e9d329f24dba787147c578ef3f0886f167fb5
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

102473af3df3e3a3af680d4bd00e9d329f24dba787147c578ef3f0886f167fb5

Threat Level: Shows suspicious behavior

The file b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:26

Reported

2024-04-04 13:29

Platform

win7-20240220-en

Max time kernel

142s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sunray1975.zapto.org udp

Files

memory/2040-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2040-1-0x0000000000400000-0x0000000000601000-memory.dmp

\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 7acb3a2b7a3ccf0b610dc9180e24270f
SHA1 c4182adc6b678656715bc6bb217a412d35ec0deb
SHA256 6f4739459036943ddcc992f207cd0c0458b5908c98d2e92ca78d25b0d0d6d5d7
SHA512 181361c888d5370c68b63ec9aa5f2a824cdb4048923155cc3115bcf82f7e4ef3d79f150dbf113059582a71cf8b87318b33382a37a27094f75de262c64ebad542

memory/2040-12-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2516-13-0x0000000000330000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/2040-21-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2040-19-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2600-22-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2600-27-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2516-41-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2600-42-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/2712-44-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2712-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2516-50-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2712-51-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2712-48-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2712-52-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2712-55-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2712-54-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2600-56-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2712-58-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2712-61-0x00000000003A0000-0x00000000003A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:26

Reported

2024-04-04 13:29

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3376 set thread context of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2516 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
PID 3376 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3376 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3376 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3376 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 3376 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b97e6ceadb35fc9575cbf741794b2462_JaffaCakes118.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 19.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp
US 8.8.8.8:53 sunray1975.zapto.org udp

Files

memory/2516-0-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2516-1-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 6c9b214353cbc340a6e12a1cd187d779
SHA1 92358674daa6e8c8b1eaf451ce62fddcc8a066b9
SHA256 652cc5090d1c74706cf5b5a1fa4dafb8aa124e776b1466434c418b449a60c5ea
SHA512 2cbbf321049a6b80315cf2c9578cab2c1763beb8382ff4c58e85950dfe0cc8f0c8cc32808012d0a20dc928a04b9f98dfe3615fc6b5d7578b814e6ed45f39fecc

memory/2516-11-0x0000000000400000-0x0000000000601000-memory.dmp

memory/3376-12-0x0000000000860000-0x0000000000861000-memory.dmp

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/2516-24-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2084-25-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/3376-28-0x0000000000400000-0x0000000000601000-memory.dmp

memory/2084-29-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/3376-30-0x0000000000400000-0x0000000000601000-memory.dmp

memory/1796-31-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1796-33-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/3376-34-0x0000000000400000-0x0000000000601000-memory.dmp

memory/1796-35-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2084-39-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/1796-38-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1796-37-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1796-41-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1796-44-0x0000000000560000-0x0000000000561000-memory.dmp