Malware Analysis Report

2025-03-14 22:58

Sample ID 240406-3tyq7see7v
Target e394354114d360b558ede282d84ecbbe_JaffaCakes118
SHA256 4f42c697b6fe86325449f9a9f7b6c12595d5cb99d77252276205b82d886ea8c5
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f42c697b6fe86325449f9a9f7b6c12595d5cb99d77252276205b82d886ea8c5

Threat Level: Shows suspicious behavior

The file e394354114d360b558ede282d84ecbbe_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Registers COM server for autorun

Unsigned PE

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:48

Reported

2024-04-06 23:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:48

Reported

2024-04-06 23:51

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe\"" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40} C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A} C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1} C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe\"" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0 C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394354114d360b558ede282d84ecbbe_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4868-0-0x00007FF6E4F20000-0x00007FF6E5052000-memory.dmp

memory/4868-1-0x00007FF6E4F20000-0x00007FF6E5052000-memory.dmp