Malware Analysis Report

2025-08-05 09:35

Sample ID 240528-bmax1sac83
Target 7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118
SHA256 f9c67313230bfc45ba8ffe5e6abeb8b7dc2eddc99c9cebc111fcd7c50d11dc80
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f9c67313230bfc45ba8ffe5e6abeb8b7dc2eddc99c9cebc111fcd7c50d11dc80

Threat Level: Shows suspicious behavior

The file 7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win7-20240419-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 ed04f76422a68aa282da0adf017f1a96
SHA1 63862b6d935ac184b4faef4649ac5be14ddf8505
SHA256 9f652f774eaeaa769f245bfc7e3a6d11b04068cc1618f49dc760eea3518b2bb6
SHA512 59f3f8d7fbda57ee7f735014c4a7c2ddbb97a35c48725392fe1528998db9cdb8d2a69fbb068bd20cfaf58b5b3ce79af34c270f9a2bcd6e89e7ee21afe3aa8255

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win10v2004-20240426-en

Max time kernel

4s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\petronel.dll

MD5 437b11c6cce872c4c7e94b30e5812997
SHA1 219f7dcf754dba48c53cf3cde5637cc4adceb3cc
SHA256 4a5164acce1c631285a09353b11e318426800801cac515bde8e76a10bac6130f
SHA512 11ea28de7d274a58eda40e2eda176de898558cea2cff4045b27f4282baa5d0cfed1cc1c4f49abb7bbcf79fa70585424e9ce5dd642fe5f98a7db948a21b2442c2

C:\Users\Admin\AppData\Local\Temp\nsl495E.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\WindNinja-2.0.1\

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 ed04f76422a68aa282da0adf017f1a96
SHA1 63862b6d935ac184b4faef4649ac5be14ddf8505
SHA256 9f652f774eaeaa769f245bfc7e3a6d11b04068cc1618f49dc760eea3518b2bb6
SHA512 59f3f8d7fbda57ee7f735014c4a7c2ddbb97a35c48725392fe1528998db9cdb8d2a69fbb068bd20cfaf58b5b3ce79af34c270f9a2bcd6e89e7ee21afe3aa8255

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win7-20240221-en

Max time kernel

4s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe"

Signatures

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7b3491e0028d443f11989efaeb0fbec2_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd92CE.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

\Users\Admin\AppData\Local\Temp\petronel.dll

MD5 437b11c6cce872c4c7e94b30e5812997
SHA1 219f7dcf754dba48c53cf3cde5637cc4adceb3cc
SHA256 4a5164acce1c631285a09353b11e318426800801cac515bde8e76a10bac6130f
SHA512 11ea28de7d274a58eda40e2eda176de898558cea2cff4045b27f4282baa5d0cfed1cc1c4f49abb7bbcf79fa70585424e9ce5dd642fe5f98a7db948a21b2442c2

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-28 01:15

Reported

2024-05-28 01:17

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\petronel.dll,#1

Network

N/A

Files

N/A