Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-wbz3zsee67
Target beb0eae669952040b5a11956f9576b25_JaffaCakes118
SHA256 2b7c38975c3299b22a69f71f762352fdd87a707dd38cb3b71f914b63e3ddbd2e
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

2b7c38975c3299b22a69f71f762352fdd87a707dd38cb3b71f914b63e3ddbd2e

Threat Level: Shows suspicious behavior

The file beb0eae669952040b5a11956f9576b25_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Gathers network information

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:45

Reported

2024-04-04 17:48

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2832 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2832 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2832 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2832 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2832 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2832 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2832 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2832 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2832 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2832 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2832 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2544 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2544 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2544 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2544 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2832 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2832 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2832 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 2832 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp

Files

\??\c:\windows\temp\flash.log

MD5 c9d9c5a73b656399aa503a73299cb29f
SHA1 c7ee412aef37cfa0404d361c5db658aa9af2f845
SHA256 3ba943c3c52226ad438b9ff37432999f4bf8b6576ce275a152fdae70dce2d58d
SHA512 3ea6aebe50c5fb1aec9cd58edc93875a795d6214c3fc909609c9274ae60e170051a1928e23b6ffc568e7914996e56b887578bf87aa2f2b1974b7f6b06f78c894

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:45

Reported

2024-04-04 17:48

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4684 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4684 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4684 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4684 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4684 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4684 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4684 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4684 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 832 wrote to memory of 4532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 4532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 832 wrote to memory of 4532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4684 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4684 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE
PID 4684 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NETSTAT.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log

C:\Windows\SysWOW64\cmd.exe

cmd /c set

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -an

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kvic.jp udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

\??\c:\windows\temp\flash.log

MD5 e79627a414d1481a41d879818f21f614
SHA1 1cf27c0cc450e4119bf67ee987a33e282a05ea02
SHA256 0e03e2ba52fd91d0a82338cf60f80fcfa4c7cac69043105d5db9b587caf1c520
SHA512 4d6d4839925b5c76a2ae5a9b78905ab8e556d20b976e952a097c7f3f6dba6e36a69b0940b20a69db09cb71a33a65b04801d493f26caa0598d9cce01ffb62cc17