Malware Analysis Report

2025-03-14 22:55

Sample ID 240406-1mfkyacf26
Target e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118
SHA256 77ceb258ca4fd30374e6d1d346a065a63ac04d0d6f6323a105faa7b1bdb0ef35
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

77ceb258ca4fd30374e6d1d346a065a63ac04d0d6f6323a105faa7b1bdb0ef35

Threat Level: Likely malicious

The file e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets service image path in registry

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:45

Reported

2024-04-06 21:46

Platform

win7-20240319-en

Max time kernel

0s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:45

Reported

2024-04-06 21:48

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3D868FA5\ImagePath = "C:\\Windows\\system32\\3571E338.EXE -3D868FA5" C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\3571E338.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\3571E338.EXE C:\Windows\SysWOW64\3571E338.EXE N/A
File created C:\Windows\SysWOW64\623A60D4.DLL C:\Windows\SysWOW64\3571E338.EXE N/A
File created C:\Windows\SysWOW64\delme.bat C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\3571E338.EXE C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\3571E338.EXE C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"

C:\Windows\SysWOW64\3571E338.EXE

C:\Windows\SysWOW64\3571E338.EXE -3D868FA5

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp

Files

memory/432-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/432-1-0x00FFFFFF00FFFFFF-0x00FFFFFF00FFFFFF-memory.dmp

C:\Windows\SysWOW64\3571E338.EXE

MD5 e35a7c9fff095108c27de9e0db1c454f
SHA1 14c1ab6dff52a583127ba1cafedb1bae83e17d91
SHA256 77ceb258ca4fd30374e6d1d346a065a63ac04d0d6f6323a105faa7b1bdb0ef35
SHA512 45eb01f6a90d7ab2a55d0e1a8f8e64f726077593c93fb4a1513c421dbe7807a65af71e013968b547fcf9d043447c3cda7c59348618b3768974ea90b3d9e330c3

memory/3476-5-0x0000000000640000-0x0000000000641000-memory.dmp

memory/432-9-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\delme.bat

MD5 10f060666308e01b195c30253af310d6
SHA1 687f42899fe3db79a85943990b8ee394c9484dc3
SHA256 06c8c49d1c1f3a61bb651cf5106a441c68d45b58030375d34ec1c5fd2918f7f1
SHA512 d775ddcfde741843e558978dcb42cbe906ee8cbbd44fff4088582af05d7028259dac540b1f1376685032a33cc1cc8ceab6495face9c9fe9f83d955a5552c40bd

memory/3476-11-0x0000000000400000-0x000000000041F000-memory.dmp