Malware Analysis Report

2025-06-16 07:28

Sample ID 240602-fhms8scc54
Target 8cefdf73de8d64c112c99a63899ef219_JaffaCakes118
SHA256 23aa88fe694bb25d999afd991a0c712695bf8abe48ed4353f317436691270b0e
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

23aa88fe694bb25d999afd991a0c712695bf8abe48ed4353f317436691270b0e

Threat Level: Shows suspicious behavior

The file 8cefdf73de8d64c112c99a63899ef219_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:52

Reported

2024-06-02 04:55

Platform

win7-20240221-en

Max time kernel

147s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp

C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp /SL3 $80120 C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe 1828395 1831809 61952

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\INSA4E7.tmp

MD5 ef80f42a048f92263f758f14b09fa30d
SHA1 e250058636dee689d6a935d71c0f462e10457239
SHA256 a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e
SHA512 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

\Users\Admin\AppData\Local\Temp\is-TK4DL.tmp\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1284-11-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2836-12-0x0000000000400000-0x000000000046A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:52

Reported

2024-06-02 04:55

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp

C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp /SL3 $8020C C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe 1828395 1831809 61952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp

MD5 ef80f42a048f92263f758f14b09fa30d
SHA1 e250058636dee689d6a935d71c0f462e10457239
SHA256 a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e
SHA512 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

memory/3988-7-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2004-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3988-9-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3988-13-0x0000000000630000-0x0000000000631000-memory.dmp