Malware Analysis Report

2025-03-14 23:36

Sample ID 240407-w4my5aba4w
Target e59434bfeb56134da214db36bea425e7_JaffaCakes118
SHA256 e4681236e304abaf8976c6ef37458eba38d5bb021d695d160b4508f299690c37
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e4681236e304abaf8976c6ef37458eba38d5bb021d695d160b4508f299690c37

Threat Level: Shows suspicious behavior

The file e59434bfeb56134da214db36bea425e7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

UPX packed file

Adds Run key to start application

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:28

Reported

2024-04-07 18:31

Platform

win7-20240221-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\1caf53c8a4a8ca5185e64a6ee56e0c93 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E59434~1.EXE /r" C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.trymedia.com udp

Files

memory/1260-2-0x0000000000310000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\connecting_icon[1]

MD5 81f2114b7bcc913245df781df3eb9ae5
SHA1 46beb25a2a30e66c65ebddb72f836542e3655d21
SHA256 13237f6652c8a50f987ee5227ce16778117add802584a5e19ef892eac6e1d3e8
SHA512 446e34fc67e66d60a7e4a4ee65b47ca04198a8566c4d5cc665249fed8d8616cd6d674cb82621dfea4303cd7a1f90488027b352972219873bf90094d62e763b6c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:28

Reported

2024-04-07 18:31

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1caf53c8a4a8ca5185e64a6ee56e0c93 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E59434~1.EXE /r" C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59434bfeb56134da214db36bea425e7_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp
US 8.8.8.8:53 d.trymedia.com udp

Files

memory/1132-2-0x0000000002260000-0x0000000002261000-memory.dmp

memory/1132-16-0x0000000002260000-0x0000000002261000-memory.dmp