Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v45nhaec79
Target be73f08309603418a19939fb29f46ef1_JaffaCakes118
SHA256 3f1e7ce12366a4b61969e5386d9631291296981e512abd18022012e01ad7fad6
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

3f1e7ce12366a4b61969e5386d9631291296981e512abd18022012e01ad7fad6

Threat Level: Shows suspicious behavior

The file be73f08309603418a19939fb29f46ef1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:33

Reported

2024-04-04 17:36

Platform

win7-20231129-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MPFTRAY = "C:\\Windows\\eaRV0ZNNm.exe" C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\eaRV0ZNNm.exe C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\eaRV0ZNNm.exe C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1784

Network

Country Destination Domain Proto
AT 129.27.9.247:6667 tcp
US 192.169.204.184:139 tcp
US 203.102.11.74:139 tcp
US 33.218.224.223:139 tcp
US 26.141.181.220:139 tcp
CA 153.81.238.11:139 tcp
CH 213.55.188.15:139 tcp
US 48.181.31.205:139 tcp
US 199.28.189.82:139 tcp
CN 211.84.152.123:139 tcp
DK 2.107.170.197:139 tcp
CN 123.76.3.252:139 tcp
RU 2.63.2.65:139 tcp
TH 212.80.215.10:139 tcp
US 9.104.138.38:139 tcp
CN 110.182.145.215:139 tcp
RU 176.109.39.127:139 tcp
US 9.165.96.113:139 tcp
US 165.138.131.72:139 tcp
US 199.94.163.135:139 tcp
US 174.141.241.49:139 tcp
JP 60.153.211.125:139 tcp
CN 113.87.40.241:139 tcp
DE 18.196.239.130:139 tcp
IT 80.182.26.28:139 tcp
CN 61.164.169.76:139 tcp
GB 80.168.49.142:139 tcp
US 35.16.12.20:139 tcp
US 158.10.148.172:139 tcp
US 204.89.81.153:139 tcp
N/A 10.127.175.159:139 tcp
N/A 10.127.175.159:445 tcp
US 9.165.96.113:445 tcp
JP 60.153.211.125:445 tcp
RU 2.63.2.65:445 tcp
CN 113.87.40.241:445 tcp
CN 61.164.169.76:445 tcp
US 192.169.204.184:445 tcp
US 203.102.11.74:445 tcp
US 165.138.131.72:445 tcp
DE 18.196.239.130:445 tcp
IT 80.182.26.28:445 tcp
US 26.141.181.220:445 tcp
US 204.89.81.153:445 tcp
US 199.28.189.82:445 tcp
DK 2.107.170.197:445 tcp
CN 110.182.145.215:445 tcp
US 33.218.224.223:445 tcp
RU 176.109.39.127:445 tcp
US 48.181.31.205:445 tcp
US 199.94.163.135:445 tcp
US 158.10.148.172:445 tcp
US 174.141.241.49:445 tcp
GB 80.168.49.142:445 tcp
CN 211.84.152.123:445 tcp
US 35.16.12.20:445 tcp
US 9.104.138.38:445 tcp
CN 123.76.3.252:445 tcp
CA 153.81.238.11:445 tcp
CH 213.55.188.15:445 tcp
TH 212.80.215.10:445 tcp
AT 129.27.9.247:6667 tcp
IR 82.99.239.99:139 tcp
US 99.193.196.247:139 tcp
US 107.50.77.144:139 tcp
PK 103.159.75.147:139 tcp
JP 118.153.25.150:139 tcp
JP 160.24.144.140:139 tcp
US 29.75.208.91:139 tcp
GB 84.92.57.236:139 tcp
DE 92.75.151.182:139 tcp
US 144.106.83.211:139 tcp
US 192.169.54.31:139 tcp
US 174.44.182.222:139 tcp
CN 36.102.144.75:139 tcp
CN 219.239.229.203:139 tcp
KR 49.163.211.5:139 tcp
SA 5.110.60.176:139 tcp
NL 185.242.166.104:139 tcp
BR 200.237.69.253:139 tcp
US 35.226.250.205:139 tcp
PL 83.150.237.22:139 tcp
FR 82.235.182.239:139 tcp
FR 86.202.103.236:139 tcp
US 198.209.28.86:139 tcp
US 40.242.188.215:139 tcp
US 54.176.255.246:139 tcp
US 29.195.151.209:139 tcp
IE 52.113.119.82:139 tcp
CN 58.16.106.197:139 tcp
GB 89.250.44.66:139 tcp
N/A 10.127.172.39:139 tcp
AT 129.27.9.247:6667 tcp
US 107.50.77.144:445 tcp
N/A 10.127.172.39:445 tcp
GB 84.92.57.236:445 tcp
KR 49.163.211.5:445 tcp
US 29.75.208.91:445 tcp
US 144.106.83.211:445 tcp
IR 82.99.239.99:445 tcp
US 99.193.196.247:445 tcp
PK 103.159.75.147:445 tcp
JP 118.153.25.150:445 tcp
US 174.44.182.222:445 tcp
CN 36.102.144.75:445 tcp
JP 160.24.144.140:445 tcp
DE 92.75.151.182:445 tcp
US 192.169.54.31:445 tcp
CN 219.239.229.203:445 tcp
US 29.195.151.209:445 tcp
FR 82.235.182.239:445 tcp
US 35.226.250.205:445 tcp
SA 5.110.60.176:445 tcp
BR 200.237.69.253:445 tcp
CN 58.16.106.197:445 tcp
US 54.176.255.246:445 tcp
PL 83.150.237.22:445 tcp
NL 185.242.166.104:445 tcp
US 198.209.28.86:445 tcp
IE 52.113.119.82:445 tcp
FR 86.202.103.236:445 tcp
US 40.242.188.215:445 tcp
GB 89.250.44.66:445 tcp
AT 129.27.9.247:6667 tcp
US 205.48.255.53:139 tcp
IE 217.112.157.228:139 tcp
US 9.126.166.102:139 tcp
JP 40.99.93.43:139 tcp
N/A 10.127.56.226:139 tcp
US 130.80.17.120:139 tcp
FR 88.143.25.1:139 tcp
IT 2.112.128.178:139 tcp
CN 182.104.235.32:139 tcp
US 70.120.78.189:139 tcp
DE 31.3.2.85:139 tcp
US 172.120.146.135:139 tcp
KR 180.133.187.156:139 tcp
US 192.169.169.39:139 tcp
KR 58.233.178.136:139 tcp
DE 217.49.26.130:139 tcp
PL 217.153.210.238:139 tcp
US 67.163.175.83:139 tcp
DK 77.33.187.167:139 tcp
US 4.96.106.140:139 tcp
US 19.252.92.52:139 tcp
US 4.198.189.164:139 tcp
US 26.66.99.196:139 tcp
US 71.228.154.66:139 tcp
SA 100.248.231.252:139 tcp
CN 121.8.88.122:139 tcp
LT 78.59.67.166:139 tcp
IN 43.231.252.15:139 tcp
IT 151.91.122.190:139 tcp
IN 182.65.101.86:139 tcp
IT 2.112.128.178:445 tcp
GB 161.17.162.70:139 tcp
AT 129.27.9.247:6667 tcp
N/A 10.127.56.226:445 tcp
CN 182.104.235.32:445 tcp
US 9.126.166.102:445 tcp
DE 217.49.26.130:445 tcp
KR 180.133.187.156:445 tcp
US 205.48.255.53:445 tcp
FR 88.143.25.1:445 tcp
JP 40.99.93.43:445 tcp
US 130.80.17.120:445 tcp
IE 217.112.157.228:445 tcp
PL 217.153.210.238:445 tcp
DK 77.33.187.167:445 tcp
US 67.163.175.83:445 tcp
US 19.252.92.52:445 tcp
KR 58.233.178.136:445 tcp
US 172.120.146.135:445 tcp
US 192.169.169.39:445 tcp
US 70.120.78.189:445 tcp
DE 31.3.2.85:445 tcp
US 4.198.189.164:445 tcp
US 4.96.106.140:445 tcp
LT 78.59.67.166:445 tcp
SA 100.248.231.252:445 tcp
CN 121.8.88.122:445 tcp
IT 151.91.122.190:445 tcp
US 71.228.154.66:445 tcp
US 26.66.99.196:445 tcp
IN 43.231.252.15:445 tcp
IN 182.65.101.86:445 tcp
GB 88.107.49.39:139 tcp
GB 161.17.162.70:445 tcp
US 40.138.213.198:139 tcp
US 72.36.4.71:139 tcp
N/A 10.127.121.212:139 tcp
US 96.38.247.167:139 tcp
LV 80.232.130.103:139 tcp
KR 106.248.43.173:139 tcp
US 98.104.94.188:139 tcp
US 98.87.219.115:139 tcp
NZ 58.28.85.191:139 tcp
CH 83.137.86.106:139 tcp
N/A 127.87.199.204:139 tcp
JP 121.115.108.92:139 tcp
JP 163.130.151.232:139 tcp
SG 4.193.75.93:139 tcp
US 160.212.216.136:139 tcp
US 134.232.146.229:139 tcp
US 55.129.7.154:139 tcp
JP 219.1.245.165:139 tcp
US 192.169.216.23:139 tcp
US 107.234.188.136:139 tcp
US 130.7.166.22:139 tcp
BO 161.56.227.225:139 tcp
EG 154.140.236.78:139 tcp
EG 105.41.140.79:139 tcp
JP 219.117.242.114:139 tcp
KR 203.191.134.205:139 tcp
CA 142.253.48.4:139 tcp
CA 142.230.14.159:139 tcp
N/A 127.87.199.204:445 tcp

Files

memory/2912-3-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2912-15-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:33

Reported

2024-04-04 17:36

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPUPD = "C:\\Windows\\p3n8KIsYPo77v2.exe" C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\p3n8KIsYPo77v2.exe C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\p3n8KIsYPo77v2.exe C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2160

Network

Country Destination Domain Proto
AT 129.27.9.247:6667 tcp
US 171.153.101.181:139 tcp
US 192.169.14.220:139 tcp
US 99.173.160.130:139 tcp
MX 148.232.96.115:139 tcp
DE 164.24.34.124:139 tcp
US 40.242.69.65:139 tcp
MX 189.206.124.119:139 tcp
AR 179.40.139.93:139 tcp
US 69.69.23.135:139 tcp
GB 132.244.53.117:139 tcp
JP 14.128.90.90:139 tcp
GB 90.221.157.239:139 tcp
MX 187.185.155.100:139 tcp
US 207.181.5.106:139 tcp
US 7.149.23.240:139 tcp
TW 223.136.193.15:139 tcp
BR 177.3.156.128:139 tcp
CN 106.24.206.140:139 tcp
CN 111.160.4.22:139 tcp
US 47.134.35.24:139 tcp
ID 39.224.233.163:139 tcp
JP 122.221.73.121:139 tcp
US 7.120.162.92:139 tcp
US 161.11.73.95:139 tcp
US 50.73.157.174:139 tcp
US 28.80.15.162:139 tcp
KR 1.109.32.255:139 tcp
KR 116.42.33.36:139 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
N/A 127.228.20.40:139 tcp
N/A 10.127.37.229:139 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
N/A 127.228.20.40:445 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 40.20.228.127.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 17.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4472-3-0x0000000000400000-0x0000000000412000-memory.dmp