Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-aa6y9afe87
Target e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118
SHA256 deb12559fd7e424bae5f92a77b828b8f025e4e0410f52641ff8ac3020965f28a
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

deb12559fd7e424bae5f92a77b828b8f025e4e0410f52641ff8ac3020965f28a

Threat Level: Shows suspicious behavior

The file e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:01

Reported

2024-04-07 00:04

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 52.101.42.9:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.11.9:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.10.5:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp

Files

memory/2096-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/2096-25-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.cfg

MD5 9ff2a34c10d73233495c97e67a6f570d
SHA1 5915653342c94dc03147ee6d561f99d0126f6e1e
SHA256 2c8db2d988f352266c9645e1f251d53af63a0785989475003d6ed1088ca1fd28
SHA512 4a88f7ecb1ac7be4e7e8e907773971910a5c5cc98e9a74e7ce7c0f5b0b28931f3d909753efdaaac20fe53cba70a130cec18126004c509802df1386741e453811

memory/2464-53-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2464-71-0x0000000000400000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:01

Reported

2024-04-07 00:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\crc32.cfg C:\Windows\outlook.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\outlook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e399d426f0b3ae0d1a41ae2f3f510c9b_JaffaCakes118.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2444 -ip 2444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 29860

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 smtp.google.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 142.251.9.27:25 aspmx3.googlemail.com tcp
US 104.47.54.36:25 microsoft-com.mail.protection.outlook.com tcp
BE 64.233.184.27:25 smtp.google.com tcp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 nokia-com.mail.protection.outlook.com udp
NL 52.101.73.30:25 nokia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 incoming-relays.illinois.edu udp
US 148.163.139.28:25 incoming-relays.illinois.edu tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 letterbox.kde.org udp
GB 46.43.1.242:25 letterbox.kde.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3316-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/3316-18-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.cfg

MD5 c548d9a5d0fde51bcf2169feb9309fba
SHA1 756d7fc358d82835985b3870d5b656702f06c1a3
SHA256 b839008ae42afa86deea68007d71114a7cc73e6d7b02c9276f09a8efb472dc90
SHA512 5e66456ba7f83cd83360ac1a02bc4de67dd91e6b80294da3350622ae92a67233e9d7a8b62f40b5b484b6e8008575c50a384852d1a6b4e3597699ccc095575591

C:\Windows\outlook.cfg

MD5 aa3dbfdafa8edddee0363fc0bdcea206
SHA1 e5960ee16ab366baaaf0ce6f647978c641850a36
SHA256 84dc77fc6077370f1b8a2dc9b799117156e4a8b87dbf8d25df06d5bd93b2be1a
SHA512 c13c4795d72f5dbb695d5af61a6f7c3102c2574e4ea30944b8d1c399045f49a558c602b6f5a8e502b035da49aa2420d3ecb5ab80b5afac33212a1fa58f83c6aa

C:\Windows\outlook.cfg

MD5 b333ba8d9683268d501d940f77e245d5
SHA1 ffb1ac0aec5ead142cfe1e4f18712c6f6fd0020f
SHA256 6394d53052355dd8695a3d706e80577678e4674ef9757d14ef6b5ba631a2db3a
SHA512 ad69bb8c2e70f4347090a61c8c371dc96f4f7801433a5d6c709ea41faef77bc44fad60e05db7460b7a1f73f2924c1e38385141516ef8ec3a39d4edc0619a62c7

memory/2444-102-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\outlook.cfg

MD5 09d4829cfdfcdd2814ecde5e22c5ce3b
SHA1 afca47e68a2cb8cf3249c6adf7d803e770b8fe04
SHA256 1bd9ad9d396b02eed3723e739ef02667fbc66a6adb53208d701ee7c8d09f03ab
SHA512 6b58e26081b80ce74b8955ae2ce5163cba80c89e6d27ac6b98716bcc7ff0b161240c86e8b660e411f1752fc323c23516022dcc06c3c6606e7a6b58d0cf2d72bc

memory/2444-118-0x0000000000400000-0x000000000047E000-memory.dmp