Malware Analysis Report

2025-03-14 22:28

Sample ID 240407-29n19she2v
Target e616bec8e3ffe02a44b04865e2951416_JaffaCakes118
SHA256 dcaed207abac1a9d0691a20c84c9c3c579e069c39b8ffda2c371284c2e23129d
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

dcaed207abac1a9d0691a20c84c9c3c579e069c39b8ffda2c371284c2e23129d

Threat Level: Shows suspicious behavior

The file e616bec8e3ffe02a44b04865e2951416_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Uses Tor communications

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:17

Reported

2024-04-07 23:19

Platform

win7-20240221-en

Max time kernel

139s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\4fx3ejs2uy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe N/A

Uses Tor communications

Processes

C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe"

Network

Country Destination Domain Proto
SE 171.25.193.9:443 171.25.193.9 tcp
FR 80.67.167.81:9001 tcp
NL 192.42.116.181:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
RS 146.70.111.19:16374 tcp
DE 178.18.246.108:9002 tcp
NL 185.67.45.100:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
DE 195.90.211.36:993 tcp
LV 94.100.6.30:9001 tcp
US 208.113.133.68:9001 tcp
JP 160.251.204.200:9002 tcp
DE 185.220.101.4:9003 tcp
UA 194.147.140.101:465 tcp
CA 66.70.227.44:443 tcp
US 216.218.219.41:80 216.218.219.41 tcp
MD 178.17.171.102:9001 tcp
NO 185.5.233.141:7355 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 45.79.177.21:443 tcp
SG 103.253.24.18:443 tcp
FI 65.21.195.87:9001 tcp
US 174.128.250.164:80 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 91.143.81.27:443 tcp
DE 45.142.176.96:9000 tcp
BR 177.104.142.225:443 tcp
UA 62.149.2.188:9001 tcp
CZ 176.74.222.61:9001 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
HU 87.229.85.197:9001 tcp
US 45.55.47.232:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:17

Reported

2024-04-07 23:19

Platform

win10v2004-20240226-en

Max time kernel

123s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcyv5md5nu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe N/A

Uses Tor communications

Processes

C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616bec8e3ffe02a44b04865e2951416_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 199.254.238.52:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 199.254.238.52:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
DE 131.188.40.189:80 131.188.40.189 tcp
NL 45.151.167.11:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
DE 193.23.244.244:80 193.23.244.244 tcp
NL 45.80.171.18:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 11.167.151.45.in-addr.arpa udp
US 216.218.219.41:80 216.218.219.41 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
US 8.8.8.8:53 41.219.218.216.in-addr.arpa udp
US 8.8.8.8:53 18.171.80.45.in-addr.arpa udp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 216.218.219.41:80 216.218.219.41 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
NL 192.42.116.191:9000 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
NL 95.179.180.139:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 191.116.42.192.in-addr.arpa udp
US 8.8.8.8:53 139.180.179.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
PL 45.141.215.90:110 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 90.215.141.45.in-addr.arpa udp

Files

N/A