Malware Analysis Report

2025-04-14 03:39

Sample ID 240612-s2j8nstgln
Target a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118
SHA256 1435200df894375b442850775293e22d5d324c0ff2221de767f6244f0479edc6
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1435200df894375b442850775293e22d5d324c0ff2221de767f6244f0479edc6

Threat Level: Shows suspicious behavior

The file a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:37

Reported

2024-06-12 15:39

Platform

win7-20240419-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 assets.airinstaller.com udp

Files

memory/1824-0-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-1-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-2-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-3-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-4-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-5-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-6-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-8-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-9-0x0000000001050000-0x00000000012C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIKvix5Fdw\intro_page.html

MD5 6eb05dd8dac412dde3c7c4c77fa795c2
SHA1 4a394aed261ac257c6def15e3b199bbdef869c4d
SHA256 14bac8532e27adf9f8a0645e953b6dbddbeffe0836de6ee53bedb4d6c3a8799e
SHA512 558e994205bd1a96c74d116e79f474b6ffd44f29545276fa122275d4c6c0bc24706e842ea6ebe729fcfd44a9fe5c01a3984dc75d94fddde8678520605395fc50

memory/1824-29-0x0000000001050000-0x00000000012C6000-memory.dmp

memory/1824-30-0x0000000001050000-0x00000000012C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:37

Reported

2024-06-12 15:39

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2652 -ip 2652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 trk.airinstaller.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.114:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 114.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp

Files

memory/2652-0-0x0000000000C70000-0x0000000000EE6000-memory.dmp

memory/2652-2-0x0000000000C70000-0x0000000000EE6000-memory.dmp