Malware Analysis Report

2025-08-10 21:29

Sample ID 240527-w5df3sdc9z
Target 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118
SHA256 cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8

Threat Level: Shows suspicious behavior

The file 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:29

Reported

2024-05-27 18:32

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 4244 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 4244 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 3120 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 3120 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 3120 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 3120 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
IN 103.219.213.102:449 tcp
IN 103.219.213.102:449 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4244-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-3-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-16-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-15-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-14-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-13-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-12-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-11-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-10-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-9-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-8-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-7-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-6-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-5-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4244-17-0x000000000041D000-0x000000000041E000-memory.dmp

memory/4244-18-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4244-19-0x00000000029A0000-0x00000000029D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

MD5 7a17dfe6888695511cecb4fd37c297b2
SHA1 29eaef941d3dff65d2224d24f6dc99690ddffd5f
SHA256 cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8
SHA512 5e1914db199a532c18ee30908011ac0aef7a1154806a87948a05d44c52edfa228623a5cd326a18fcf828ecc8bde8f00019b6a182960fabf394dda37a839a196b

memory/3120-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-31-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-30-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-29-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-41-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-40-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-39-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-38-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-37-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-35-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-34-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-33-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/3120-44-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3224-45-0x0000025A80F60000-0x0000025A80F80000-memory.dmp

memory/3224-46-0x0000025A80F60000-0x0000025A80F80000-memory.dmp

memory/2928-64-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-63-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-62-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-61-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-60-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-59-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-58-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-57-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-56-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-55-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-54-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-53-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-52-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/2928-67-0x000000000041D000-0x000000000041E000-memory.dmp

memory/2928-68-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4628-69-0x000001CB3DC50000-0x000001CB3DC70000-memory.dmp

memory/4628-71-0x000001CB3DC50000-0x000001CB3DC70000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:29

Reported

2024-05-27 18:32

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2188 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 2736 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2736 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2736 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 2736 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe
PID 1228 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {D159A3EA-59D0-467F-960E-C0AD28456C16} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2188-16-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-15-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-14-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-13-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-12-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-11-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-10-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-9-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-8-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-7-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-6-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-5-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-4-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-3-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/2188-17-0x0000000001DC0000-0x0000000001DF0000-memory.dmp

memory/2188-20-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2188-19-0x000000000041D000-0x000000000041E000-memory.dmp

\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe

MD5 7a17dfe6888695511cecb4fd37c297b2
SHA1 29eaef941d3dff65d2224d24f6dc99690ddffd5f
SHA256 cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8
SHA512 5e1914db199a532c18ee30908011ac0aef7a1154806a87948a05d44c52edfa228623a5cd326a18fcf828ecc8bde8f00019b6a182960fabf394dda37a839a196b

memory/2520-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-40-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-38-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-35-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2520-48-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1968-49-0x0000000000060000-0x0000000000080000-memory.dmp

memory/1968-50-0x0000000000060000-0x0000000000080000-memory.dmp

memory/1228-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-68-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-67-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-66-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-65-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-64-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-63-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-62-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-61-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-60-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-59-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-58-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1228-57-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2748-74-0x0000000000060000-0x0000000000080000-memory.dmp

memory/1228-73-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1228-72-0x000000000041D000-0x000000000041E000-memory.dmp

memory/2748-75-0x0000000000060000-0x0000000000080000-memory.dmp