Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r4yy6scf3z
Target e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118
SHA256 d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0

Threat Level: Likely malicious

The file e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies AppInit DLL entries

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:45

Reported

2024-04-06 14:48

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rexljehk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rexljeh.dll C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rexljehk.exe C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rexljehk.exe C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"

C:\Windows\SysWOW64\rexljehk.exe

C:\Windows\system32\rexljehk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe.bat

Network

N/A

Files

memory/1660-0-0x0000000000400000-0x0000000000410000-memory.dmp

\Windows\SysWOW64\rexljehk.exe

MD5 e2c5b96c2e7d8eab8c67326a13fe449a
SHA1 4518bfd39e40e6287fc2d2783a4d43b6ef652cc6
SHA256 d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0
SHA512 16eb8502660bbb3f3ce19e56121461cc2737eb6fdb3b33aad22a70a207093075f63e4d304a995b7dc03b85455b65a9a9d3336846f00a87de1f3b112de69cec11

memory/1660-4-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1660-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1940-12-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1660-15-0x0000000000230000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe.bat

MD5 85bb108f9917b9bce9139a4e3dc136a2
SHA1 cdccce71f6fbb0831781e79ed14a7853c007b0ba
SHA256 03cc47917cacaf345e08cc77f98cbda58d6b8521c09b1e96643a536e0e6fc6fb
SHA512 1615a990b5fadab1b781049d08f8fd3ee920fab02ef4400f31c91b3aee7c7522613bc4f99cfe2d2c1be5116f20ad2165cc20d08e6a63cc552be4185d63ebe430

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:45

Reported

2024-04-06 14:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rexljehk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rexljehk.exe C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rexljehk.exe C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rexljeh.dll C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"

C:\Windows\SysWOW64\rexljehk.exe

C:\Windows\system32\rexljehk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2220-0-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\SysWOW64\rexljehk.exe

MD5 e2c5b96c2e7d8eab8c67326a13fe449a
SHA1 4518bfd39e40e6287fc2d2783a4d43b6ef652cc6
SHA256 d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0
SHA512 16eb8502660bbb3f3ce19e56121461cc2737eb6fdb3b33aad22a70a207093075f63e4d304a995b7dc03b85455b65a9a9d3336846f00a87de1f3b112de69cec11

memory/2220-6-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1908-7-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe.bat

MD5 85bb108f9917b9bce9139a4e3dc136a2
SHA1 cdccce71f6fbb0831781e79ed14a7853c007b0ba
SHA256 03cc47917cacaf345e08cc77f98cbda58d6b8521c09b1e96643a536e0e6fc6fb
SHA512 1615a990b5fadab1b781049d08f8fd3ee920fab02ef4400f31c91b3aee7c7522613bc4f99cfe2d2c1be5116f20ad2165cc20d08e6a63cc552be4185d63ebe430