Malware Analysis Report

2025-03-14 23:13

Sample ID 240407-w7z3vsbb2y
Target e5973bb514b3119aa40d33024416053e_JaffaCakes118
SHA256 e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d

Threat Level: Likely malicious

The file e5973bb514b3119aa40d33024416053e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies AppInit DLL entries

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:34

Reported

2024-04-07 18:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ziflokk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ziflokk.exe C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ziflokk.exe C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ziflok.dll C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"

C:\Windows\SysWOW64\ziflokk.exe

C:\Windows\system32\ziflokk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat

Network

N/A

Files

memory/1928-0-0x0000000000400000-0x000000000040E000-memory.dmp

\Windows\SysWOW64\ziflokk.exe

MD5 e5973bb514b3119aa40d33024416053e
SHA1 60145756546d5f3232479b08c4f40b4ff75d899d
SHA256 e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d
SHA512 8481550b0a23a241815652aae11e0c1a291259220bca51a02a44effef3ae868ecc38afc7c48a9f8fd298ff6c307012b92382e7fb5c9ed6b71ec0c44543cff6fe

memory/1928-4-0x0000000000030000-0x000000000003E000-memory.dmp

memory/1928-11-0x0000000000030000-0x000000000003E000-memory.dmp

memory/2172-12-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat

MD5 3af4dc3af98fc1c5579a7a9092b18e61
SHA1 dcf41f10ea1da5a537eff2210012de7b9b083018
SHA256 522eba7f45015c6e81dcfb355376a2ae103efbddf8a598aaa5e66f11ccc30dcc
SHA512 ffc7fa6794c593dd29e7102a230e375b823947c3e9f31649c540ec61b4862a2977cdd8fcd4472aa4cdec0ed62cc5506e6067b7ff7cd0931f764f116b4df7bb82

memory/1928-20-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:34

Reported

2024-04-07 18:37

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ziflokk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ziflok.dll C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ziflokk.exe C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ziflokk.exe C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"

C:\Windows\SysWOW64\ziflokk.exe

C:\Windows\system32\ziflokk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/5032-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\SysWOW64\ziflokk.exe

MD5 e5973bb514b3119aa40d33024416053e
SHA1 60145756546d5f3232479b08c4f40b4ff75d899d
SHA256 e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d
SHA512 8481550b0a23a241815652aae11e0c1a291259220bca51a02a44effef3ae868ecc38afc7c48a9f8fd298ff6c307012b92382e7fb5c9ed6b71ec0c44543cff6fe

memory/5032-8-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat

MD5 3af4dc3af98fc1c5579a7a9092b18e61
SHA1 dcf41f10ea1da5a537eff2210012de7b9b083018
SHA256 522eba7f45015c6e81dcfb355376a2ae103efbddf8a598aaa5e66f11ccc30dcc
SHA512 ffc7fa6794c593dd29e7102a230e375b823947c3e9f31649c540ec61b4862a2977cdd8fcd4472aa4cdec0ed62cc5506e6067b7ff7cd0931f764f116b4df7bb82

memory/4136-10-0x0000000000400000-0x000000000040E000-memory.dmp