Malware Analysis Report

2025-04-14 03:33

Sample ID 240612-2wd9xaxfrl
Target a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118
SHA256 06e187ee90ec1e32e8e0bb61a7f806a92dabe74d104a11b5b927c1bd23847524
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

06e187ee90ec1e32e8e0bb61a7f806a92dabe74d104a11b5b927c1bd23847524

Threat Level: Likely malicious

The file a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 22:55

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 22:55

Reported

2024-06-12 22:58

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe

"C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
FR 52.222.169.2:80 dl.iwin.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.169.222.52.in-addr.arpa udp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.iwin.com udp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
US 35.153.119.44:80 www.iwin.com tcp
US 35.153.119.44:443 www.iwin.com tcp
US 8.8.8.8:53 44.119.153.35.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.200.245.18.in-addr.arpa udp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 13.249.8.192:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 img.iwin.com udp
FR 13.32.145.18:80 img.iwin.com tcp
US 8.8.8.8:53 192.8.249.13.in-addr.arpa udp
US 8.8.8.8:53 18.145.32.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe

MD5 9939c0274f24ae6d6e29dd5580fd88ac
SHA1 96c2a03086e3afd51430fa0f79026d7a961101ae
SHA256 991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471
SHA512 ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35

C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\ftdownload.dat

MD5 bc1a08283ccd7967613219c5cea33048
SHA1 a104a940995e6aaf7faaf9a1bd1e061c3e4b0dd8
SHA256 3160186021a733b39e860061c5b1fcce905dd595a20ab4db87410f674f958916
SHA512 2b235b9076265352a8a2d43804c030f0ecc7168ab3bf3ec73cbef33865c44fe62d683a5f3294bdce77cb44d54fe2f47547133e601f2f1fb08620bd5ccb2a225a

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\nsExec.dll

MD5 51e63a9c5d6d230ef1c421b2eccd45dc
SHA1 c499cdad5c613d71ed3f7e93360f1bbc5748c45d
SHA256 cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
SHA512 c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe

MD5 3d3d2bf9c42dbdf97247775c00f22190
SHA1 7a046170aaeb5e1a29d8c8cd7c32225f49237aa1
SHA256 59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a
SHA512 6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\gametitle.txt

MD5 08e6a153368d8c0fb970a1cf0b60a6fb
SHA1 4f2ebf2b3eaa65f4d47b34f61622f09bb345606c
SHA256 5993da161b24cffbcd13269a3e5a7bff1d65dadbf5a72829e5dbd4a882266973
SHA512 0df00d67f04a2edc9f24257114095a5956fdf3d26c6665ccbd9de09de53d047454273b7acf602f81ca4985d65fab263b7dd04938e40db001068b36bc9cdf5dad

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\BgImage.dll

MD5 c430c0a7ef0ac8f80004de7f7898bced
SHA1 1f698e988bcc19d280a70c3283ff2816bb0db465
SHA256 dd4e24bcee7e9e952f1c7cda7532c0b851b87577e1b679380808f22d875c7c96
SHA512 3fa4fe59cadb580ab8b452ff7c2dd3802f8f6fe920dee15c81492c0c324ab991471de01fdb6f3ac07e336a90755243a1ef1de1bb5dd1c51cb70918e7192b46b4

C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\tn_feat.bmp

MD5 6792b98e5bf4a7835a2e5e533c632494
SHA1 5f7d25167558a188dbefaadbff2de0595c4ea0b3
SHA256 7ef3a4675994c2df47456026bc784837fa8e5fff0519c905abf6a5a3fb9fef25
SHA512 8528e97c0e1ee035b6e7f56a53cf699734ea9da84050b28f344b5bf8f13a95e2ce5457b50bb372438192fa12d7fff108df914e516a3aa062a9091ba600511a55

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 22:55

Reported

2024-06-12 22:58

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp

Files

\Users\Admin\AppData\Local\Temp\nst1028.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

\Users\Admin\AppData\Local\Temp\nst1028.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0