Malware Analysis Report

2025-03-14 23:13

Sample ID 240406-3pnqfafb59
Target e390fd44e792bb4c79854e865835618f_JaffaCakes118
SHA256 1d3e4230cdef8bec5ac180f26769dabc26c1f9c5843f43d964a3bf9095bb2a62
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1d3e4230cdef8bec5ac180f26769dabc26c1f9c5843f43d964a3bf9095bb2a62

Threat Level: Shows suspicious behavior

The file e390fd44e792bb4c79854e865835618f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Inc = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"

Network

N/A

Files

memory/2740-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 e390fd44e792bb4c79854e865835618f
SHA1 91a44a852ebf8862633f296172facd19d1f4a126
SHA256 1d3e4230cdef8bec5ac180f26769dabc26c1f9c5843f43d964a3bf9095bb2a62
SHA512 9b1a71dd30a5e178705c4d8f2a8f0c00ae2e948c606bcc3dbda0c6b95315036e3662346720ab04a1d6c33e8f5b2d400603c1b9d43e5380a2600aa7f6e0e8115a

memory/2740-219-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:44

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 220

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A