Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v7fhsadg5y
Target be84124151ed648b1b236e244142a92f_JaffaCakes118
SHA256 d79fac50d787b497de862322274d0541eb3095ec92fb66ae683ccd5360246869
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d79fac50d787b497de862322274d0541eb3095ec92fb66ae683ccd5360246869

Threat Level: Shows suspicious behavior

The file be84124151ed648b1b236e244142a92f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:37

Reported

2024-04-04 17:40

Platform

win7-20240221-en

Max time kernel

160s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 htl5656556.u1.luyouxia.net udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp

Files

memory/2984-0-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 15287e4b78ab920ea0081591f8106615
SHA1 a1628bd63201e179f636af77f3d58c9a1a4a97e2
SHA256 c4ea5abf1d82828f77819dfa7dc9b728206518cecc387f279b10bef2f4e10c3f
SHA512 6211fdb6eeb7dbd342e44f40ebfd73b415574ae76354d498887b44473c55b07656feb5709cee320a8a5f22f62931f4518136000e12065e0958d6eb46dae4f1a7

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 f42eb169ae6fc4797d2bd10b409a4686
SHA1 7d4282523a4d1ec1ea02c0dc13124cb60bff2d9a
SHA256 5ec91e54b1beb2161a81c58e89ff56a90ff497b3efefa4d99cf930637bbd569a
SHA512 1ebfb4dd11371dc9e3affb731fe6ea51affa096c1a12c163555e5b18c32cf6ca545258c1a66d8421e6e44a066f541ec04fc6da85c3d9918945eb5a71e8b3fb95

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 2004bcee923b0e0222f4cab87c2c2a3d
SHA1 0a3c122b7cfe403403d913ecc1b328480b1bfc2a
SHA256 f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77
SHA512 cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:37

Reported

2024-04-04 17:40

Platform

win10v2004-20240226-en

Max time kernel

101s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 htl5656556.u1.luyouxia.net udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 139.110.86.104.in-addr.arpa udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp
CN 123.99.198.201:53071 htl5656556.u1.luyouxia.net tcp

Files

memory/4088-0-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d01768dfd2f1658ea9f05dc0e739018f
SHA1 6d999e9efa3dad8c8ddeb24c2a7d1d2437225dec
SHA256 c742b4c5c26ff2d763ff735edbfb53899ce7ade94e5c83b9f3f629e970d40e2f
SHA512 63630af5c55943464bb9cb2138089d30e35f7f5d21b3c50f79e40a754b663680d9c6c4d8cdf03b38063e8be2fcc63958597fd583d0c49c16842cc0f7e949ca01

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d71a76ba49f7d1f5fc3f3bd24522682a
SHA1 f53cf6b177fe1387f13b97390f2dbcf4fd485913
SHA256 c944e6564aef76c670b4a8800b3a8738e6de6d75828a995ab9b060bbdcaba0ae
SHA512 5beb584aa143fe4f3a241eba4adba7efd5c45023aaa13322514045cdcbcf0d08d978c9eb4f4064acb1994018181a3eb655fb7dcbbec9c6e42215e74b43b36d81

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 2004bcee923b0e0222f4cab87c2c2a3d
SHA1 0a3c122b7cfe403403d913ecc1b328480b1bfc2a
SHA256 f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77
SHA512 cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445