Malware Analysis Report

2025-08-06 00:23

Sample ID 240611-a9nxqaxemd
Target 9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118
SHA256 154063fbc3d4ad6840cb0f38d10ebb1320bbd63c0973541e4bf384ae504a250d
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

154063fbc3d4ad6840cb0f38d10ebb1320bbd63c0973541e4bf384ae504a250d

Threat Level: Shows suspicious behavior

The file 9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

Loads dropped DLL

Executes dropped EXE

UPX packed file

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:54

Reported

2024-06-11 00:57

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch

Network

Country Destination Domain Proto
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

memory/4032-0-0x0000000000570000-0x00000000007CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9c7fc7ec402f9ae00b297073d0437144
SHA1 90f7f9fea535beadb0fe3fe1f3839f3bf9110383
SHA256 154063fbc3d4ad6840cb0f38d10ebb1320bbd63c0973541e4bf384ae504a250d
SHA512 44ad68372d0a92273e2cd966836f1eac21f87e0f370d60638b529bf4f1fa7aa0f9440358d6856ad28a39cbd1436c923056971be9661771b723d81a13ddd4c7a9

memory/4032-7-0x0000000000570000-0x00000000007CC000-memory.dmp

memory/1792-6-0x00000000005F0000-0x000000000084C000-memory.dmp

memory/1792-11-0x00000000005F0000-0x000000000084C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:54

Reported

2024-06-11 00:57

Platform

win7-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c7fc7ec402f9ae00b297073d0437144_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch

Network

Country Destination Domain Proto
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 assets.airinstaller.com udp

Files

memory/2008-0-0x0000000001100000-0x000000000135C000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9c7fc7ec402f9ae00b297073d0437144
SHA1 90f7f9fea535beadb0fe3fe1f3839f3bf9110383
SHA256 154063fbc3d4ad6840cb0f38d10ebb1320bbd63c0973541e4bf384ae504a250d
SHA512 44ad68372d0a92273e2cd966836f1eac21f87e0f370d60638b529bf4f1fa7aa0f9440358d6856ad28a39cbd1436c923056971be9661771b723d81a13ddd4c7a9

memory/2008-4-0x0000000002A30000-0x0000000002C8C000-memory.dmp

memory/2008-9-0x0000000001100000-0x000000000135C000-memory.dmp

memory/1184-10-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-11-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-12-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/2008-13-0x0000000002A30000-0x0000000002C8C000-memory.dmp

memory/1184-14-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-15-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-16-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-17-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-18-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-19-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-20-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-21-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-22-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-23-0x0000000000E50000-0x00000000010AC000-memory.dmp

memory/1184-25-0x0000000000E50000-0x00000000010AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44wgcOWxV7\intro_page.html

MD5 60995d04e55f8d138cf5183e95942906
SHA1 d90f51dd6705b94d7d3915dad623f61a7654a410
SHA256 05b3464493d500473e1370aafd8c0b8db1678bd38353237141997607caf5c132
SHA512 3886ba8025d96b3ba1522def75b997aec503505c14ec3364bba93fa8a5509c792b44bc67a9afbfcc4af9047bad69ae7c9dfd61ec094079cf7ddf3838704af871