Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r18dfadb67
Target e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118
SHA256 e702273d988557cad1dc79a54e27a4d063486bfd31a9efdcb442b301a483159c
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

e702273d988557cad1dc79a54e27a4d063486bfd31a9efdcb442b301a483159c

Threat Level: Shows suspicious behavior

The file e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Unsigned PE

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:40

Reported

2024-04-06 14:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\7072797e746a6833786578 = "C:\\Users\\Admin\\ciwu.exe" C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 p2.winsoft3.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:40

Reported

2024-04-06 14:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37353e39332d2f743f223f = "C:\\Users\\Admin\\ciwu.exe" C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c35a18eadf6cb3ddc6fcd7b69237a0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 app2.winsoft4.com udp
US 8.8.8.8:53 131.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft5.com udp
US 8.8.8.8:53 app2.winsoft6.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft7.com udp
US 8.8.8.8:53 app2.winsoft8.com udp
US 8.8.8.8:53 app2.winsoft9.com udp
US 8.8.8.8:53 app2.winsoft10.com udp
US 8.8.8.8:53 app2.winsoft11.com udp
US 8.8.8.8:53 app2.winsoft12.com udp
US 8.8.8.8:53 app2.winsoft13.com udp
US 8.8.8.8:53 app2.winsoft14.com udp
US 8.8.8.8:53 app2.winsoft15.com udp
US 8.8.8.8:53 app2.winsoft16.com udp
US 8.8.8.8:53 app2.winsoft17.com udp
US 8.8.8.8:53 app2.winsoft18.com udp
US 8.8.8.8:53 app2.winsoft19.com udp
US 8.8.8.8:53 app2.winsoft20.com udp
US 8.8.8.8:53 app2.winsoft21.com udp
US 8.8.8.8:53 app2.winsoft22.com udp
US 8.8.8.8:53 app2.winsoft23.com udp
US 8.8.8.8:53 app2.winsoft24.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft25.com udp
US 8.8.8.8:53 app2.winsoft26.com udp
US 8.8.8.8:53 app2.winsoft27.com udp
US 8.8.8.8:53 app2.winsoft28.com udp
US 8.8.8.8:53 app2.winsoft29.com udp
US 8.8.8.8:53 app2.winsoft30.com udp
US 8.8.8.8:53 app2.winsoft31.com udp
US 8.8.8.8:53 app2.winsoft32.com udp
US 8.8.8.8:53 app2.winsoft33.com udp
US 8.8.8.8:53 app2.winsoft34.com udp
US 8.8.8.8:53 app2.winsoft35.com udp
US 8.8.8.8:53 app2.winsoft36.com udp
US 8.8.8.8:53 app2.winsoft37.com udp
US 8.8.8.8:53 app2.winsoft38.com udp
US 8.8.8.8:53 app2.winsoft39.com udp
US 8.8.8.8:53 app2.winsoft40.com udp
US 8.8.8.8:53 app2.winsoft41.com udp
US 8.8.8.8:53 app2.winsoft42.com udp
US 8.8.8.8:53 app2.winsoft43.com udp
US 8.8.8.8:53 app2.winsoft44.com udp
US 8.8.8.8:53 app2.winsoft45.com udp
US 8.8.8.8:53 app2.winsoft46.com udp
US 8.8.8.8:53 app2.winsoft47.com udp
US 8.8.8.8:53 app2.winsoft48.com udp
US 8.8.8.8:53 app2.winsoft49.com udp
US 8.8.8.8:53 app2.winsoft50.com udp
US 8.8.8.8:53 app2.winsoft51.com udp
US 8.8.8.8:53 app2.winsoft52.com udp
US 8.8.8.8:53 app2.winsoft53.com udp
US 8.8.8.8:53 app2.winsoft54.com udp
US 8.8.8.8:53 app2.winsoft55.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft56.com udp
US 8.8.8.8:53 app2.winsoft57.com udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft58.com udp
US 8.8.8.8:53 app2.winsoft59.com udp
US 8.8.8.8:53 app2.winsoft60.com udp
US 8.8.8.8:53 app2.winsoft61.com udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 app2.winsoft62.com udp
US 8.8.8.8:53 app2.winsoft63.com udp
US 8.8.8.8:53 app2.winsoft64.com udp
US 8.8.8.8:53 app2.winsoft65.com udp
US 8.8.8.8:53 app2.winsoft66.com udp
US 8.8.8.8:53 app2.winsoft67.com udp
US 8.8.8.8:53 app2.winsoft68.com udp
US 8.8.8.8:53 app2.winsoft69.com udp
US 8.8.8.8:53 app2.winsoft70.com udp
US 8.8.8.8:53 app2.winsoft71.com udp
US 8.8.8.8:53 app2.winsoft72.com udp
US 8.8.8.8:53 app2.winsoft73.com udp
US 8.8.8.8:53 app2.winsoft74.com udp
US 8.8.8.8:53 app2.winsoft75.com udp
US 8.8.8.8:53 app2.winsoft76.com udp
US 8.8.8.8:53 app2.winsoft77.com udp
US 8.8.8.8:53 app2.winsoft78.com udp
US 8.8.8.8:53 app2.winsoft79.com udp
US 8.8.8.8:53 app2.winsoft80.com udp
US 8.8.8.8:53 app2.winsoft81.com udp
US 8.8.8.8:53 app2.winsoft82.com udp
US 8.8.8.8:53 app2.winsoft83.com udp
US 8.8.8.8:53 app2.winsoft84.com udp
US 8.8.8.8:53 app2.winsoft85.com udp
US 8.8.8.8:53 app2.winsoft86.com udp
US 8.8.8.8:53 app2.winsoft87.com udp
US 8.8.8.8:53 app2.winsoft88.com udp
US 8.8.8.8:53 app2.winsoft89.com udp
US 8.8.8.8:53 app2.winsoft90.com udp
US 8.8.8.8:53 app2.winsoft91.com udp
US 8.8.8.8:53 app2.winsoft92.com udp
US 8.8.8.8:53 app2.winsoft93.com udp
US 8.8.8.8:53 app2.winsoft94.com udp
US 8.8.8.8:53 app2.winsoft95.com udp
US 8.8.8.8:53 app2.winsoft96.com udp
US 8.8.8.8:53 app2.winsoft97.com udp
US 8.8.8.8:53 app2.winsoft98.com udp
US 8.8.8.8:53 app2.winsoft99.com udp
US 8.8.8.8:53 app2.winsoft100.com udp
US 8.8.8.8:53 app2.winsoft0.com udp
US 8.8.8.8:53 app2.winsoft1.com udp
US 8.8.8.8:53 app2.winsoft2.com udp
US 8.8.8.8:53 app2.winsoft3.com udp
US 8.8.8.8:53 p2.winsoft3.com udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A