Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-11mw6scd5y
Target e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118
SHA256 e56c660f542100cf8a7caf01d8abf448d082dc8bce81e1b336f8340925d7142d
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

e56c660f542100cf8a7caf01d8abf448d082dc8bce81e1b336f8340925d7142d

Threat Level: Shows suspicious behavior

The file e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Unsigned PE

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:07

Reported

2024-04-06 22:09

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\484a41515f4b490b405d40 = "C:\\Users\\Admin\\tznl.exe" C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft14.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 app2.winsoft0.com udp
US 8.8.8.8:53 p2.winsoft3.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:07

Reported

2024-04-06 22:09

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebe9e2f2fce8eaa8e3fee3 = "C:\\Users\\Admin\\tznl.exe" C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3648150c6ab7b8de41d24f1a52f0186_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft14.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 app2.winsoft0.com udp
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 p2.winsoft3.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A