Malware Analysis Report

2025-08-10 21:32

Sample ID 240529-ktpt7ahc51
Target 802b6def10fcec61c933514d0ea879f5_JaffaCakes118
SHA256 cfaf57d9ec003548a67e238b83b43a8f665963bdca897e18890b82cc367c5f0e
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cfaf57d9ec003548a67e238b83b43a8f665963bdca897e18890b82cc367c5f0e

Threat Level: Shows suspicious behavior

The file 802b6def10fcec61c933514d0ea879f5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 08:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 08:53

Reported

2024-05-29 08:56

Platform

win7-20240221-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IFinst27.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IFinst27.exe C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"

C:\Windows\IFinst27.exe

"C:\Windows\IFinst27.exe" -IC:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe

Network

N/A

Files

memory/1964-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1964-3-0x00000000003D0000-0x00000000003FB000-memory.dmp

C:\Windows\IFinst27.exe

MD5 9c17bca3ef837bacded7e4299508e71d
SHA1 253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0
SHA256 2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193
SHA512 12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a211e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625

memory/1616-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1964-9-0x00000000003D0000-0x00000000003FB000-memory.dmp

memory/1964-8-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ifB47.tmp

MD5 685dbe0f65c1c68721bfdd2b922ba22d
SHA1 7b0ed045ce0baa6ba0089d27cdf0306c05542762
SHA256 73593e971c7a00dc7638b1e2c9427c1fbe8ae37f3c308d28d7f8b0ccfab27050
SHA512 6d7d95073b14b336bfe9af9aafe2ee8c2e60e0a80fb1e0fa36b99c756d7d099b3a2d5e4276465fd5faa39592130af7e1539720bc8a5a5624b5171ddd1885ce8f

memory/1616-39-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1964-41-0x00000000003D0000-0x00000000003FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 08:53

Reported

2024-05-29 08:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IFinst27.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IFinst27.exe C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"

C:\Windows\IFinst27.exe

"C:\Windows\IFinst27.exe" -IC:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.179:443 www.bing.com tcp
US 8.8.8.8:53 179.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2356-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\IFinst27.exe

MD5 9c17bca3ef837bacded7e4299508e71d
SHA1 253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0
SHA256 2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193
SHA512 12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a211e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625

memory/2356-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3224-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_if567C.tmp

MD5 685dbe0f65c1c68721bfdd2b922ba22d
SHA1 7b0ed045ce0baa6ba0089d27cdf0306c05542762
SHA256 73593e971c7a00dc7638b1e2c9427c1fbe8ae37f3c308d28d7f8b0ccfab27050
SHA512 6d7d95073b14b336bfe9af9aafe2ee8c2e60e0a80fb1e0fa36b99c756d7d099b3a2d5e4276465fd5faa39592130af7e1539720bc8a5a5624b5171ddd1885ce8f

memory/3224-35-0x0000000000400000-0x000000000042B000-memory.dmp