Malware Analysis Report

2025-03-14 23:11

Sample ID 240406-3v1besee9v
Target e394b7d286cfa81c455652b533cef711_JaffaCakes118
SHA256 4de3b130908e7c938aa0794108958065aa2b8eb637f05702add07a7e8b5ab40c
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4de3b130908e7c938aa0794108958065aa2b8eb637f05702add07a7e8b5ab40c

Threat Level: Likely malicious

The file e394b7d286cfa81c455652b533cef711_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies AppInit DLL entries

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:50

Reported

2024-04-06 23:53

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mssddynk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mssddynk.exe C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mssddynk.exe C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mssddyn.dll C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe"

C:\Windows\SysWOW64\mssddynk.exe

C:\Windows\system32\mssddynk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe.bat

Network

N/A

Files

memory/1440-0-0x0000000000400000-0x000000000040F000-memory.dmp

\Windows\SysWOW64\mssddynk.exe

MD5 e394b7d286cfa81c455652b533cef711
SHA1 83ecda8b8a3d625c0b1bc855334f2ba037c179ec
SHA256 4de3b130908e7c938aa0794108958065aa2b8eb637f05702add07a7e8b5ab40c
SHA512 eca3c3d80fd6a0929b4b065818a6f68f1cd2b58283cd844c0626d75b5e4e6f54a2f053a83d0cb1a534a15ca4730b815366221eb2c7add1bdd23b2f213ba6bf7e

memory/1440-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/1224-11-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1440-12-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1440-16-0x00000000001C0000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe.bat

MD5 a04fa63598efe8b1fcaf3f471c923c2e
SHA1 34f425ed089d6907143a1834d1d53ce3b16e040f
SHA256 cb435ca723a716669c0c47bb61923697463cad58555d51992472b6a1e15322be
SHA512 0e9eb0b92dbc1a9426ebe863dfc1b379d13e5cb219a917b4e3a11cea44e18e228406e907615a56157a272e57c7373d8ec1fd1525a60ccedf98b9d80f7d186601

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:50

Reported

2024-04-06 23:53

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mssddynk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mssddyn.dll C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mssddynk.exe C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mssddynk.exe C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe"

C:\Windows\SysWOW64\mssddynk.exe

C:\Windows\system32\mssddynk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/1940-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\SysWOW64\mssddynk.exe

MD5 e394b7d286cfa81c455652b533cef711
SHA1 83ecda8b8a3d625c0b1bc855334f2ba037c179ec
SHA256 4de3b130908e7c938aa0794108958065aa2b8eb637f05702add07a7e8b5ab40c
SHA512 eca3c3d80fd6a0929b4b065818a6f68f1cd2b58283cd844c0626d75b5e4e6f54a2f053a83d0cb1a534a15ca4730b815366221eb2c7add1bdd23b2f213ba6bf7e

memory/1940-6-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4140-7-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e394b7d286cfa81c455652b533cef711_JaffaCakes118.exe.bat

MD5 a04fa63598efe8b1fcaf3f471c923c2e
SHA1 34f425ed089d6907143a1834d1d53ce3b16e040f
SHA256 cb435ca723a716669c0c47bb61923697463cad58555d51992472b6a1e15322be
SHA512 0e9eb0b92dbc1a9426ebe863dfc1b379d13e5cb219a917b4e3a11cea44e18e228406e907615a56157a272e57c7373d8ec1fd1525a60ccedf98b9d80f7d186601