Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-hrhxrabd3t
Target 3e4133340e0037854c020b73d139943a_JaffaCakes118
SHA256 34ed19f34dbecbfa60533e3d0737d3d9862ae8d56084aabf536351c9242e8b67
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

34ed19f34dbecbfa60533e3d0737d3d9862ae8d56084aabf536351c9242e8b67

Threat Level: Likely malicious

The file 3e4133340e0037854c020b73d139943a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 06:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 06:58

Reported

2024-05-13 07:00

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe

"C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe" ins.exe /t 54146c05561ca39e0b8b4585 /u ad0d8641-dff0-11e3-8a58-80c16e6f498c /h eb4993.api.socdn.com /e 12932238 /v "C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 3900

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 crl.globalsign.net udp
US 104.18.20.226:80 crl.globalsign.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 eb4993.api.socdn.com udp
US 76.223.26.96:80 eb4993.api.socdn.com tcp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\n8879\s8879.exe

MD5 292e5b0c53667812a05ff25415e0b91b
SHA1 35e0bd0943c7b449911592a0b6812642e3011c77
SHA256 8ae142e7f6df8ee05c81d0317b284a747a19ae4e0a492208b04a3d25968ae574
SHA512 1d984e94b25c4c51cff98a2e63795bce465e8ca526d9e391b09d12d148745b8011a22d21760bc12cf79f83adca34f22775d2e53e45311c25d4bd8d92bdfb2bd3

memory/2680-14-0x00007FFC3F3B5000-0x00007FFC3F3B6000-memory.dmp

memory/2680-15-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-24-0x0000000001450000-0x000000000145E000-memory.dmp

memory/2680-27-0x000000001C790000-0x000000001CC5E000-memory.dmp

memory/2680-28-0x000000001C170000-0x000000001C20C000-memory.dmp

memory/2680-29-0x0000000001460000-0x0000000001468000-memory.dmp

memory/2680-30-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-31-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-32-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-33-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-34-0x000000001FDC0000-0x000000001FE22000-memory.dmp

memory/2680-35-0x0000000020370000-0x00000000204AC000-memory.dmp

memory/2680-36-0x00000000209C0000-0x0000000020ECE000-memory.dmp

memory/2680-37-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-38-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-39-0x00007FFC3F3B5000-0x00007FFC3F3B6000-memory.dmp

memory/2680-40-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-41-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

memory/2680-43-0x00007FFC3F100000-0x00007FFC3FAA1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 06:58

Reported

2024-05-13 07:00

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe

"C:\Users\Admin\AppData\Local\Temp\n8876\s8876.exe" ins.exe /t 54146c05561ca39e0b8b4585 /u ad0d8641-dff0-11e3-8a58-80c16e6f498c /h eb4993.api.socdn.com /e 12932238 /v "C:\Users\Admin\AppData\Local\Temp\3e4133340e0037854c020b73d139943a_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.globalsign.net udp
US 104.18.20.226:80 crl.globalsign.net tcp
US 8.8.8.8:53 eb4993.api.socdn.com udp
US 76.223.26.96:80 eb4993.api.socdn.com tcp

Files

\Users\Admin\AppData\Local\Temp\n8876\s8876.exe

MD5 292e5b0c53667812a05ff25415e0b91b
SHA1 35e0bd0943c7b449911592a0b6812642e3011c77
SHA256 8ae142e7f6df8ee05c81d0317b284a747a19ae4e0a492208b04a3d25968ae574
SHA512 1d984e94b25c4c51cff98a2e63795bce465e8ca526d9e391b09d12d148745b8011a22d21760bc12cf79f83adca34f22775d2e53e45311c25d4bd8d92bdfb2bd3

memory/2940-17-0x000007FEF552E000-0x000007FEF552F000-memory.dmp

memory/2940-18-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

memory/2940-34-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2940-35-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp