Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xhbjmsbg77
Target e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118
SHA256 780cac5aa91de29b5f3fd7e3756d9fe5a19c2df750b327153aeb79d7f3b4eb50
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

780cac5aa91de29b5f3fd7e3756d9fe5a19c2df750b327153aeb79d7f3b4eb50

Threat Level: Shows suspicious behavior

The file e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:50

Reported

2024-04-07 18:53

Platform

win7-20240220-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FSAV32 = "C:\\Windows\\wDaLrZMLGKEKpG3.exe" C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wDaLrZMLGKEKpG3.exe C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\wDaLrZMLGKEKpG3.exe C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1472

Network

Country Destination Domain Proto
AT 129.27.9.247:6667 tcp
US 192.169.130.198:139 tcp
US 52.107.26.41:139 tcp
GB 86.134.71.55:139 tcp
JP 221.75.2.243:139 tcp
NL 93.88.152.162:139 tcp
CA 142.2.187.100:139 tcp
GB 86.169.142.235:139 tcp
IT 217.59.219.35:139 tcp
UY 190.134.43.81:139 tcp
US 104.86.90.15:139 tcp
IN 13.207.24.85:139 tcp
GB 90.252.173.80:139 tcp
US 26.98.52.251:139 tcp
US 71.252.84.189:139 tcp
NZ 104.84.48.222:139 tcp
JP 112.138.222.65:139 tcp
US 207.88.131.165:139 tcp
NL 62.133.213.23:139 tcp
US 209.113.195.16:139 tcp
CA 207.162.93.79:139 tcp
US 48.120.19.197:139 tcp
US 129.116.10.136:139 tcp
CN 122.64.22.178:139 tcp
RU 95.189.184.156:139 tcp
IT 88.43.97.203:139 tcp
US 74.6.162.115:139 tcp
RU 31.162.5.45:139 tcp
KR 182.198.125.145:139 tcp
N/A 10.127.43.38:139 tcp
N/A 127.136.204.143:139 tcp
N/A 127.136.204.143:445 tcp

Files

memory/2284-3-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:50

Reported

2024-04-07 18:53

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MCUPDATE = "C:\\Windows\\ekblQopApbstux.exe" C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ekblQopApbstux.exe C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ekblQopApbstux.exe C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
AT 129.27.9.247:6667 tcp
US 212.124.118.75:139 tcp
US 33.199.171.172:139 tcp
US 174.242.231.167:139 tcp
US 65.124.58.142:139 tcp
DE 129.233.130.69:139 tcp
KR 116.46.27.95:139 tcp
US 65.196.219.123:139 tcp
US 192.169.25.143:139 tcp
US 99.157.91.23:139 tcp
CN 58.35.173.237:139 tcp
US 168.21.227.137:139 tcp
SA 100.210.125.140:139 tcp
US 30.95.159.149:139 tcp
US 192.190.148.207:139 tcp
ZA 168.128.8.130:139 tcp
US 170.23.128.30:139 tcp
TW 106.105.226.236:139 tcp
US 38.93.248.212:139 tcp
N/A 162.252.53.22:139 tcp
SG 119.234.40.235:139 tcp
US 107.219.238.141:139 tcp
US 150.114.48.77:139 tcp
AU 115.131.150.100:139 tcp
BR 179.127.100.210:139 tcp
CN 218.14.90.183:139 tcp
FR 109.210.51.27:139 tcp
US 54.177.229.129:139 tcp
US 67.242.35.226:139 tcp
KE 154.152.150.217:139 tcp
N/A 10.127.4.197:139 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 212.124.118.75:445 tcp
US 174.242.231.167:445 tcp
US 65.124.58.142:445 tcp
US 33.199.171.172:445 tcp
KR 116.46.27.95:445 tcp
DE 129.233.130.69:445 tcp
US 192.169.25.143:445 tcp
US 65.196.219.123:445 tcp
US 99.157.91.23:445 tcp
US 168.21.227.137:445 tcp
CN 58.35.173.237:445 tcp
US 192.190.148.207:445 tcp
US 30.95.159.149:445 tcp
ZA 168.128.8.130:445 tcp
SA 100.210.125.140:445 tcp
N/A 162.252.53.22:445 tcp
US 170.23.128.30:445 tcp
TW 106.105.226.236:445 tcp
US 150.114.48.77:445 tcp
US 38.93.248.212:445 tcp
SG 119.234.40.235:445 tcp
FR 109.210.51.27:445 tcp
US 107.219.238.141:445 tcp
KE 154.152.150.217:445 tcp
AU 115.131.150.100:445 tcp
BR 179.127.100.210:445 tcp
US 54.177.229.129:445 tcp
CN 218.14.90.183:445 tcp
US 67.242.35.226:445 tcp
N/A 10.127.4.197:445 tcp
AT 129.27.9.247:6667 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 42.221.241.139:139 tcp
PE 45.232.107.168:139 tcp
US 71.148.48.197:139 tcp
US 65.202.107.46:139 tcp
JP 60.60.14.154:139 tcp
BR 190.107.160.68:139 tcp
CA 99.223.19.197:139 tcp
DE 185.207.156.185:139 tcp
GR 62.74.126.17:139 tcp
US 29.206.184.29:139 tcp
US 149.169.71.192:139 tcp
US 129.37.142.27:139 tcp
CN 110.250.150.28:139 tcp
US 54.146.85.101:139 tcp
DE 141.51.255.102:139 tcp
CN 101.123.188.184:139 tcp
IN 117.252.51.229:139 tcp
AU 121.209.238.232:139 tcp
US 11.167.142.24:139 tcp
US 32.57.173.140:139 tcp
JP 133.233.223.28:139 tcp
GB 25.24.75.24:139 tcp
CA 70.68.116.49:139 tcp
RO 89.122.34.33:139 tcp
N/A 172.19.139.24:139 tcp
US 192.169.144.220:139 tcp
US 128.145.165.128:139 tcp
US 3.237.221.146:139 tcp
ES 82.86.20.197:139 tcp
N/A 10.127.149.232:139 tcp
AT 129.27.9.247:6667 tcp
US 149.169.71.192:445 tcp
PE 45.232.107.168:445 tcp
US 65.202.107.46:445 tcp
CN 42.221.241.139:445 tcp
JP 60.60.14.154:445 tcp
US 71.148.48.197:445 tcp
DE 185.207.156.185:445 tcp
BR 190.107.160.68:445 tcp
GR 62.74.126.17:445 tcp
CA 99.223.19.197:445 tcp
DE 141.51.255.102:445 tcp
US 29.206.184.29:445 tcp
JP 133.233.223.28:445 tcp
US 129.37.142.27:445 tcp
CN 110.250.150.28:445 tcp
CA 70.68.116.49:445 tcp
N/A 172.19.139.24:445 tcp
US 54.146.85.101:445 tcp
US 128.145.165.128:445 tcp
US 3.237.221.146:445 tcp
CN 101.123.188.184:445 tcp
ES 82.86.20.197:445 tcp
IN 117.252.51.229:445 tcp
N/A 10.127.149.232:445 tcp
US 11.167.142.24:445 tcp
AU 121.209.238.232:445 tcp
US 32.57.173.140:445 tcp
GB 25.24.75.24:445 tcp
US 192.169.144.220:445 tcp
RO 89.122.34.33:445 tcp
AT 129.27.9.247:6667 tcp
BR 150.163.86.27:139 tcp
US 6.208.116.187:139 tcp
DE 5.5.151.150:139 tcp
CA 131.117.168.29:139 tcp
N/A 10.127.16.14:139 tcp
GB 81.144.2.83:139 tcp
US 44.235.206.223:139 tcp
JP 126.197.69.233:139 tcp
US 75.101.150.18:139 tcp
CA 206.75.69.126:139 tcp
US 20.140.100.12:139 tcp
US 40.220.230.190:139 tcp
PL 185.212.41.225:139 tcp
US 19.99.118.218:139 tcp
KR 210.178.53.164:139 tcp
SE 88.144.117.111:139 tcp
US 66.153.70.127:139 tcp
US 18.174.159.226:139 tcp
JP 219.42.216.240:139 tcp
AU 203.53.104.32:139 tcp
IN 27.6.214.166:139 tcp
IL 132.66.83.200:139 tcp
US 170.146.59.130:139 tcp
SY 94.47.4.19:139 tcp
US 192.169.9.14:139 tcp
NL 145.104.19.170:139 tcp
US 11.43.149.12:139 tcp
ES 62.175.109.79:139 tcp
JP 123.198.12.201:139 tcp
MX 189.220.213.58:139 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BR 150.163.86.27:445 tcp
AT 129.27.9.247:6667 tcp
US 6.208.116.187:445 tcp
DE 5.5.151.150:445 tcp
US 75.101.150.18:445 tcp
US 20.140.100.12:445 tcp
PL 185.212.41.225:445 tcp
CA 131.117.168.29:445 tcp
GB 81.144.2.83:445 tcp
US 44.235.206.223:445 tcp
US 19.99.118.218:445 tcp
N/A 10.127.16.14:445 tcp
JP 126.197.69.233:445 tcp
CA 206.75.69.126:445 tcp
US 40.220.230.190:445 tcp
KR 210.178.53.164:445 tcp
SE 88.144.117.111:445 tcp
JP 219.42.216.240:445 tcp
US 66.153.70.127:445 tcp
IN 27.6.214.166:445 tcp
US 18.174.159.226:445 tcp
US 170.146.59.130:445 tcp
AU 203.53.104.32:445 tcp
IL 132.66.83.200:445 tcp
SY 94.47.4.19:445 tcp
US 192.169.9.14:445 tcp
US 11.43.149.12:445 tcp
MX 189.220.213.58:445 tcp
NL 145.104.19.170:445 tcp
ES 62.175.109.79:445 tcp
JP 123.198.12.201:445 tcp
CN 114.222.82.215:139 tcp
JP 119.83.162.147:139 tcp
FI 146.211.192.39:139 tcp
IT 95.234.114.180:139 tcp
JP 180.22.229.149:139 tcp
US 108.184.178.202:139 tcp
US 68.49.170.193:139 tcp
NL 142.252.163.116:139 tcp
CN 183.15.199.52:139 tcp
US 108.125.208.96:139 tcp
US 199.239.252.41:139 tcp
JP 221.57.117.105:139 tcp
HK 154.86.179.144:139 tcp
US 96.136.214.45:139 tcp
US 173.72.127.144:139 tcp
N/A 10.127.112.207:139 tcp
CN 124.117.49.214:139 tcp
JP 222.226.231.244:139 tcp
US 54.230.252.6:139 tcp
US 192.195.249.206:139 tcp
ES 90.171.159.120:139 tcp
US 134.173.248.156:139 tcp
DE 84.44.129.58:139 tcp
US 169.25.72.145:139 tcp
US 108.80.54.159:139 tcp
JP 133.30.49.218:139 tcp
US 192.169.6.240:139 tcp
NL 185.228.196.189:139 tcp
US 108.37.60.94:139 tcp
US 32.62.193.125:139 tcp
AT 129.27.9.247:6667 tcp
CN 114.222.82.215:445 tcp
JP 119.83.162.147:445 tcp
FI 146.211.192.39:445 tcp
IT 95.234.114.180:445 tcp
JP 180.22.229.149:445 tcp
US 108.184.178.202:445 tcp
CN 183.15.199.52:445 tcp
US 108.125.208.96:445 tcp
US 199.239.252.41:445 tcp
US 68.49.170.193:445 tcp
JP 221.57.117.105:445 tcp
N/A 10.127.112.207:445 tcp
NL 142.252.163.116:445 tcp
US 192.195.249.206:445 tcp
HK 154.86.179.144:445 tcp
US 134.173.248.156:445 tcp
US 96.136.214.45:445 tcp
US 173.72.127.144:445 tcp
CN 124.117.49.214:445 tcp
JP 222.226.231.244:445 tcp
ES 90.171.159.120:445 tcp
US 54.230.252.6:445 tcp
US 169.25.72.145:445 tcp
DE 84.44.129.58:445 tcp
US 108.80.54.159:445 tcp
US 108.37.60.94:445 tcp
JP 133.30.49.218:445 tcp
US 192.169.6.240:445 tcp
NL 185.228.196.189:445 tcp
US 32.62.193.125:445 tcp

Files

memory/4596-3-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-15-0x0000000000400000-0x0000000000412000-memory.dmp