Malware Analysis Report

2025-08-05 15:49

Sample ID 240529-lg7pxaah53
Target 804539f335d0fd4413ea225c9c20f637_JaffaCakes118
SHA256 74eee6958f83d3b1edc92f2b1e81602b3f27734de7dfa873dc6e01f1907049d6
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

74eee6958f83d3b1edc92f2b1e81602b3f27734de7dfa873dc6e01f1907049d6

Threat Level: Shows suspicious behavior

The file 804539f335d0fd4413ea225c9c20f637_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 09:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 09:31

Reported

2024-05-29 09:33

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Network

N/A

Files

memory/1364-0-0x0000000001000000-0x00000000011D3000-memory.dmp

memory/1364-1-0x0000000000900000-0x0000000000AD3000-memory.dmp

memory/1364-2-0x0000000001001000-0x0000000001002000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

MD5 ff977f9cde2cdb16fa62a7d4d250f8cb
SHA1 9461780db5e5317f4c1bb30d72d4bfd823bea075
SHA256 d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7
SHA512 9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

MD5 c9a11a08e8dbbcf834d173ab7e1bdad0
SHA1 6b7f81507e1488f9e6ca8cc2e82f858241dad71d
SHA256 68e0556705895c69b412fc89c09f5c97a74aa8144eed32de6cf87e20c6a0fc8c
SHA512 5a0ed4bb438fb0c6c1afdc0078cebfd75f30ccf50b16e38b3c4edd8526b7adc89e2379c7b83050f40a36fe2c39975f2c5d6b2f78fba79291ba558135ebe63187

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1043.dll

MD5 46a7ea002ef7b103db7a00055e190d37
SHA1 90be245628bd8e1f75a6952d3286bea68dad1c98
SHA256 ffd39503988ebdd48517df412908ad6b01ccdc88d5c2289e60090252a04097a1
SHA512 44990f5cd07f0942f8f3c2703d1f8de2dd9ecc917a32fab4056fb3029dd68de5e80f3bd0054efdd9bd100d398c66cfda595701365a418b52241b55d0164033c4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\langpack.msi

MD5 a7c824cb242e1c78d9e67c88bc390ca4
SHA1 f19f74e7aad5baa18fcfb8f86069030934c4e7f3
SHA256 b635343d230a62455678805aeb063ca226b11a767234f447ec410067557214ca
SHA512 59799f54eca2604438e0670b7f088f71666f872f2daae420b06fc7f8b653643790b355752e38a13347b0654c7d729c1c2b42d67bfe5623e93c60ea58ca202902

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\netfx.bmp

MD5 06fba95313f26e300917c6cea4480890
SHA1 31beee44776f114078fc403e405eaa5936c4bc3b
SHA256 594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA512 7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.1043.txt

MD5 405b1986e23bd7a509535e06e905ac45
SHA1 5a037e0801d462801f51084162d1cc897f75433a
SHA256 15cf80fe4e0629a834ff9b1b04666f4377eeef1f67257d672aa7c3eced09d152
SHA512 765285159143755672468a7a98da7caf3c73e9f0a9e31db6fdffde689a0a87220eb31fbb8e0aaa79a02a42f6c94ea4d129d683dc2d6250abc9114d99e3926e49

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 09:31

Reported

2024-05-29 09:34

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/4728-0-0x0000000001000000-0x00000000011D3000-memory.dmp

memory/4728-1-0x0000000001000000-0x00000000011D3000-memory.dmp