Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qzc1gaaa27
Target b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118
SHA256 7079f1604aae85be52c19b83e9660b7b484b1c9f114a41fdfcdb6d69f4dfbada
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7079f1604aae85be52c19b83e9660b7b484b1c9f114a41fdfcdb6d69f4dfbada

Threat Level: Shows suspicious behavior

The file b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Gathers network information

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:41

Reported

2024-04-04 13:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2784 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2784 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2784 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2784 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp

Files

\??\c:\windows\temp\flash.log

MD5 4de58fe695a2469a2ae859b07cb20458
SHA1 2f6737e2ded9f5d804581fa284caba30bd6468d1
SHA256 0bf2b778bfaace4c032ce479cb76328c77d86311d66e3776d56ad750271d09e9
SHA512 dd28f0720292251f93083ab36062fdf612ddcb0b1d16773c42fbe973f3f27f3964e747952d388ad30bd98075dc2d10ce3f5c8f5b1a3baadb458d0c38edb71a25

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:41

Reported

2024-04-04 13:44

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4612 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4208 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4208 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4208 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4208 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4208 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2728 wrote to memory of 864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4208 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4208 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4208 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 161.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

\??\c:\windows\temp\flash.log

MD5 c6c9477328ed96c222bbf9656209c400
SHA1 7da7daecdd0709287848ed6fe5f3af9dbd37302f
SHA256 fe5699ac6233f1801d78ac338b670e9be285332a1684331330080a00b1f44874
SHA512 def0b312f8880085927d59e72fbde0bd59c23392f3a768cc2c62f4959b6f36ee07afaadcbf0e1ea8a90c5de961a121a0d97003299f2bd58b80d4a8d0f2937fad