Malware Analysis Report

2025-08-11 01:08

Sample ID 240404-qrjs2sha7s
Target b98db2db541ce0a423aad8318c837f6a_JaffaCakes118
SHA256 d075d15e65636715be3589aca73e83098ea3aa6c83d0b1136aeaa6d21da47e62
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d075d15e65636715be3589aca73e83098ea3aa6c83d0b1136aeaa6d21da47e62

Threat Level: Shows suspicious behavior

The file b98db2db541ce0a423aad8318c837f6a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:29

Reported

2024-04-04 13:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon13.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\bugMAKER.bat

Network

N/A

Files

C:\Windows\bugMAKER.bat

MD5 9d7f8c1df2cc9643f04a9dc4e70428bc
SHA1 c5f84bb4c153222391fc7d9418646982705f980a
SHA256 7b73123a64108ff5a4a37b7745d1beaf384050b22cba2714eb93f8587a962b68
SHA512 eed170be30ad6d3381909b0c28b51e8c9718bba81428052f58b88d61caa2f81a264dc4875e931aaa221e54d6deb6660b8b4d142ed42411cdea881a1547f941e6

memory/2592-62-0x0000000000820000-0x0000000000821000-memory.dmp

memory/1984-67-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:29

Reported

2024-04-04 13:32

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 97.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\bugMAKER.bat

MD5 9d7f8c1df2cc9643f04a9dc4e70428bc
SHA1 c5f84bb4c153222391fc7d9418646982705f980a
SHA256 7b73123a64108ff5a4a37b7745d1beaf384050b22cba2714eb93f8587a962b68
SHA512 eed170be30ad6d3381909b0c28b51e8c9718bba81428052f58b88d61caa2f81a264dc4875e931aaa221e54d6deb6660b8b4d142ed42411cdea881a1547f941e6

memory/468-24-0x0000000000400000-0x000000000042D000-memory.dmp