Malware Analysis Report

2025-03-14 23:13

Sample ID 240406-3nr2gaed51
Target e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118
SHA256 de5d4b75d28f82d4ae30f54af25b973a7afbf61046dcfb0efe9c3bfa6c6d89ee
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

de5d4b75d28f82d4ae30f54af25b973a7afbf61046dcfb0efe9c3bfa6c6d89ee

Threat Level: Likely malicious

The file e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Adds policy Run key to start application

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:39

Reported

2024-04-06 23:42

Platform

win7-20240215-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe" C:\Windows\SysWOW64\ishost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Windows\SysWOW64\ishost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ishost.exe C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ishost.exe C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ismon.exe C:\Windows\SysWOW64\ishost.exe N/A
File created C:\Windows\SysWOW64\components\flx0.dll C:\Windows\SysWOW64\ishost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\ishost.exe
PID 2824 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\ishost.exe
PID 2824 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\ishost.exe
PID 2824 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\ishost.exe
PID 2064 wrote to memory of 856 N/A C:\Windows\SysWOW64\ishost.exe C:\Windows\SysWOW64\ismon.exe
PID 2064 wrote to memory of 856 N/A C:\Windows\SysWOW64\ishost.exe C:\Windows\SysWOW64\ismon.exe
PID 2064 wrote to memory of 856 N/A C:\Windows\SysWOW64\ishost.exe C:\Windows\SysWOW64\ismon.exe
PID 2064 wrote to memory of 856 N/A C:\Windows\SysWOW64\ishost.exe C:\Windows\SysWOW64\ismon.exe
PID 2824 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe"

C:\Windows\SysWOW64\ishost.exe

C:\Windows\system32\ishost.exe

C:\Windows\SysWOW64\ismon.exe

C:\Windows\system32\ismon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E3900A~1.EXE > nul

Network

N/A

Files

\Windows\SysWOW64\ishost.exe

MD5 0de5ef77a47ede21eb5dab71c284ee6b
SHA1 ab2d7aa286d22c91763a4098e51bf60dfff71ba7
SHA256 ad6feedbffa791f225071c41ca5c11669037eec725eab684f6760c4992e2c2a6
SHA512 e6b5c23ea39e6917e7e8e7f102df01f1cd14469b58f910c9a7520bbb4854281c696416a96229927c83f462c95cf098868dc476a34d1d799e02d342b9836737da

\Windows\SysWOW64\ismon.exe

MD5 b3e58dc34e369aa7aa9ad9d028a61514
SHA1 2b820feec66cac8d238ace910fe3d003d20865a3
SHA256 56e281854b5aa366c5ada32c230288f5cd8b74b35b70980f553e2564b4e23733
SHA512 7e22dc5b0a0d372deaa62ea160b5a5b987083ccd9eefe5e57ea2d01d93f9154f7edaba16ad2124fc119ba7c9bb9da85e94b963563cc2ff056e63ce8c964e3bd1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:39

Reported

2024-04-06 23:42

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Windows\SysWOW64\ishost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe" C:\Windows\SysWOW64\ishost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ishost.exe C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ishost.exe C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ismon.exe C:\Windows\SysWOW64\ishost.exe N/A
File created C:\Windows\SysWOW64\components\flx0.dll C:\Windows\SysWOW64\ishost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ishost.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A
N/A N/A C:\Windows\SysWOW64\ismon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3900aa788a06537e48ef75be8c7f09b_JaffaCakes118.exe"

C:\Windows\SysWOW64\ishost.exe

C:\Windows\system32\ishost.exe

C:\Windows\SysWOW64\ismon.exe

C:\Windows\system32\ismon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E3900A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\ishost.exe

MD5 0de5ef77a47ede21eb5dab71c284ee6b
SHA1 ab2d7aa286d22c91763a4098e51bf60dfff71ba7
SHA256 ad6feedbffa791f225071c41ca5c11669037eec725eab684f6760c4992e2c2a6
SHA512 e6b5c23ea39e6917e7e8e7f102df01f1cd14469b58f910c9a7520bbb4854281c696416a96229927c83f462c95cf098868dc476a34d1d799e02d342b9836737da

C:\Windows\SysWOW64\ismon.exe

MD5 b3e58dc34e369aa7aa9ad9d028a61514
SHA1 2b820feec66cac8d238ace910fe3d003d20865a3
SHA256 56e281854b5aa366c5ada32c230288f5cd8b74b35b70980f553e2564b4e23733
SHA512 7e22dc5b0a0d372deaa62ea160b5a5b987083ccd9eefe5e57ea2d01d93f9154f7edaba16ad2124fc119ba7c9bb9da85e94b963563cc2ff056e63ce8c964e3bd1