Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-3tw8daee7t
Target e394284adfbc95aed336da98aea23e62_JaffaCakes118
SHA256 89296ba26d520dcdde5ea22371e993475a70b169e0c0b8a57d07ca1284ac9e09
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

89296ba26d520dcdde5ea22371e993475a70b169e0c0b8a57d07ca1284ac9e09

Threat Level: Shows suspicious behavior

The file e394284adfbc95aed336da98aea23e62_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:48

Reported

2024-04-06 23:51

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 88

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

MD5 c520101dc2e4777de8519da439fc6cee
SHA1 4acfdebf0021a30af83e571d0e3788d1ea8f3def
SHA256 c3a5b63771c9cc8a4c747a9b7b47bf3e7bd80b692b41c6a1f820e79437213d55
SHA512 9fe6a7c5434e178863a0bf9bbd0355e610bf6a84d6b62d14da1d8fa83cf276bb742fe210c3f3f23ef23d08bfe8c10de8f72a374d1260af76f5726fc1d4b830d3

memory/1888-10-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1888-12-0x0000000000180000-0x0000000000192000-memory.dmp

memory/3040-13-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3040-14-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:48

Reported

2024-04-06 23:51

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

144s

Command Line

winlogon.exe

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\rqRJDtTm.dll,#1" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pmnnLBqp.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
File created C:\Windows\SysWOW64\pmnnLBqp.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
File created C:\Windows\SysWOW64\rqRJDtTm.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
File opened for modification C:\Windows\SysWOW64\rqRJDtTm.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}\InprocServer32\ = "C:\\Windows\\SysWow64\\rqRJDtTm.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85DD4E0D-2B01-4D4D-9E66-3A165AB6EDA4}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe
PID 1228 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe
PID 1228 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe
PID 3596 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\system32\winlogon.exe
PID 3596 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe
PID 1228 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe
PID 1228 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394284adfbc95aed336da98aea23e62_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\system32\rqRJDtTm.dll,a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is161237.exe

MD5 c520101dc2e4777de8519da439fc6cee
SHA1 4acfdebf0021a30af83e571d0e3788d1ea8f3def
SHA256 c3a5b63771c9cc8a4c747a9b7b47bf3e7bd80b692b41c6a1f820e79437213d55
SHA512 9fe6a7c5434e178863a0bf9bbd0355e610bf6a84d6b62d14da1d8fa83cf276bb742fe210c3f3f23ef23d08bfe8c10de8f72a374d1260af76f5726fc1d4b830d3

memory/3596-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-10-0x0000000000460000-0x000000000046B000-memory.dmp

memory/3596-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-17-0x0000000010000000-0x0000000010014000-memory.dmp

C:\Windows\SysWOW64\pmnnLBqp.dll

MD5 ab1f7bbde48b6c98e4a0c7f1897147be
SHA1 19dd135ba9f6f78b565aeab21b77649dcd0c61e0
SHA256 0eddc8eca7f935d1660005b0f4ed1647643e5f55b52859257d63d56cf1faa031
SHA512 58aa942c647bb9fd60bfa6952cab84f1d4c1210d7d29d780264ed6ae09899ac7d73cbaf0ea3f23054ef371af5e4c4a581591ee1b5305d0e7aa7e7380974e48d1

memory/3596-18-0x0000000010000000-0x0000000010014000-memory.dmp

memory/3596-20-0x0000000002A70000-0x0000000002A76000-memory.dmp

memory/3596-22-0x0000000010000000-0x0000000010014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Activation.exe

MD5 24ae36c410b275396a27bef346547512
SHA1 302461ae519dbb0c1fb8cbd6fa62ad6eab44cb24
SHA256 3b1b966992f63b381b50cc4986d55ef159f35d21b8f74ec433f71304ccd7b2ab
SHA512 5689a511d44c2012cf2b816051e6ab6540c7c435e0285724ecaee4ff07fb34ad2da42417689e29c678ecbbf4fe1aceb096e49822ad302b47a86b2d55264f5cdb

memory/4980-40-0x0000000010000000-0x0000000010014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\removalfile.bat

MD5 9a7ef09167a6f4433681b94351509043
SHA1 259b1375ed8e84943ca1d42646bb416325c89e12
SHA256 d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA512 96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

memory/4980-42-0x0000000010000000-0x0000000010014000-memory.dmp

memory/1892-43-0x0000000000400000-0x0000000000438000-memory.dmp