Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1g27rabf8v
Target e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118
SHA256 a50416305aa0ad6199e59280817d63f378c351080affc7fad7fdefd693cfc484
Tags
discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a50416305aa0ad6199e59280817d63f378c351080affc7fad7fdefd693cfc484

Threat Level: Shows suspicious behavior

The file e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer upx

UPX packed file

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Program crash

Unsigned PE

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:40

Platform

win7-20240221-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"

Signatures

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AmdAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49194 tcp
KR 218.152.233.35:80 tcp
KR 112.186.139.9:80 tcp
N/A 127.0.0.1:49197 tcp
US 65.60.228.36:80 tcp
N/A 127.0.0.1:49201 tcp
N/A 127.0.0.1:49206 tcp
IN 27.4.153.0:80 tcp
N/A 127.0.0.1:49211 tcp
US 71.195.179.115:80 tcp
N/A 127.0.0.1:49214 tcp
IN 14.140.54.214:80 tcp
IN 117.224.103.46:80 tcp
N/A 127.0.0.1:49218 tcp
N/A 127.0.0.1:49222 tcp
KR 112.214.30.183:80 tcp
N/A 127.0.0.1:49226 tcp
HK 180.215.149.33:80 tcp
N/A 127.0.0.1:49230 tcp
KR 218.148.117.50:80 tcp
KR 119.201.161.13:80 tcp
N/A 127.0.0.1:49234 tcp
N/A 127.0.0.1:49239 tcp
KR 175.206.2.33:80 tcp
N/A 127.0.0.1:49242 tcp
US 76.108.4.23:80 tcp
N/A 127.0.0.1:49246 tcp
KZ 95.57.73.56:80 tcp
N/A 127.0.0.1:49250 tcp
US 71.72.200.32:80 tcp

Files

memory/1396-0-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1396-1-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1396-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1396-3-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1396-4-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1396-5-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1396-6-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1396-8-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:38

Reported

2024-04-06 21:40

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 376

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp

Files

N/A