Malware Analysis Report

2025-03-14 23:27

Sample ID 240407-wx565aag7w
Target e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118
SHA256 e60ee107dd301de376b081552a287deb122a6e3b504acb2d9bf925e4b1f2dcf7
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e60ee107dd301de376b081552a287deb122a6e3b504acb2d9bf925e4b1f2dcf7

Threat Level: Likely malicious

The file e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets DLL path for service in the registry

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win7-20240220-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LYTC\Parameters\ServiceDLL = "%SystemRoot%\\system32\\tccj.dll" C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tccj.dll C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tccj.dll C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k krnlsrvc

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k krnlsrvc

C:\Windows\SysWOW64\cmd.exe

cmd /c DelMe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 count.jk136.com udp

Files

memory/2836-0-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2836-2-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2836-1-0x0000000000220000-0x0000000000238000-memory.dmp

memory/2836-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2836-6-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2836-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2836-9-0x0000000000400000-0x000000000045D000-memory.dmp

\??\c:\windows\SysWOW64\tccj.dll

MD5 7aec29935cd17c94ddec5daf65850a4a
SHA1 199716bed3b3685eed134836364b143af53afe97
SHA256 ba8c0e103051dd5dfa6f7ff6fdfae80d28a390d8008c177fd96f5ad6d6a30843
SHA512 ad5f24bdd5f779a4a3aff9229509eb3f6f405e367d1e1d6012377dec2d2cfd1e279b38a8d39a3ff5d09b3898197eaf257bae5ae1647af7f3ffba3c6f0529c95b

C:\Users\Admin\AppData\Local\Temp\DelMe.bat

MD5 316eb5dd14b7214f9bfae9604d554ae8
SHA1 ae4bdaf209f7e4c4ff8204940803bebb0fb621ad
SHA256 2082536f6dbb095d76e39546d52d24ea0a4cd1eedec24c071fe537db793e9f80
SHA512 3ea38b9f9e803348c82c933e1a734f7e3bbb2ab132065032e86d5ce524d65b519642595b94567b7223cc87aa0547594bf1a28eade1e96e7887ec01c675c5c0d6

memory/2668-19-0x0000000000020000-0x000000000002D000-memory.dmp

memory/2836-20-0x0000000000220000-0x0000000000238000-memory.dmp

memory/2668-23-0x0000000000020000-0x000000000002D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LYTC\Parameters\ServiceDLL = "%SystemRoot%\\system32\\tccj.dll" C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tccj.dll C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tccj.dll C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 432

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k krnlsrvc

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k krnlsrvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c DelMe.bat

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 count.jk136.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

memory/4900-0-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4900-1-0x00000000021A0000-0x00000000021B8000-memory.dmp

memory/4900-2-0x00000000021A0000-0x00000000021B8000-memory.dmp

memory/4900-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4900-4-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4900-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/4900-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4900-10-0x0000000000400000-0x000000000045D000-memory.dmp

\??\c:\windows\SysWOW64\tccj.dll

MD5 7aec29935cd17c94ddec5daf65850a4a
SHA1 199716bed3b3685eed134836364b143af53afe97
SHA256 ba8c0e103051dd5dfa6f7ff6fdfae80d28a390d8008c177fd96f5ad6d6a30843
SHA512 ad5f24bdd5f779a4a3aff9229509eb3f6f405e367d1e1d6012377dec2d2cfd1e279b38a8d39a3ff5d09b3898197eaf257bae5ae1647af7f3ffba3c6f0529c95b

memory/4900-15-0x00000000021A0000-0x00000000021B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DelMe.bat

MD5 316eb5dd14b7214f9bfae9604d554ae8
SHA1 ae4bdaf209f7e4c4ff8204940803bebb0fb621ad
SHA256 2082536f6dbb095d76e39546d52d24ea0a4cd1eedec24c071fe537db793e9f80
SHA512 3ea38b9f9e803348c82c933e1a734f7e3bbb2ab132065032e86d5ce524d65b519642595b94567b7223cc87aa0547594bf1a28eade1e96e7887ec01c675c5c0d6

memory/3764-18-0x0000000000400000-0x000000000040D000-memory.dmp