Malware Analysis Report

2025-04-14 03:22

Sample ID 240612-t1425a1gpa
Target a157c71bbf2010904d0ebf204997d559_JaffaCakes118
SHA256 8df9b797d715806c7025589ba233f95d5a08e1c59317a7cebc29d2e009e6fef2
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

8df9b797d715806c7025589ba233f95d5a08e1c59317a7cebc29d2e009e6fef2

Threat Level: Likely benign

The file a157c71bbf2010904d0ebf204997d559_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary


Checks computer location settings

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:32

Reported

2024-06-12 16:34

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\""

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 205.185.208.154:443 t8u4n6u7.ssl.hwcdn.net tcp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt

MD5 22d101d09ee9c25b0c795449a03098c0
SHA1 41a0fa393a5af805130787a443069c4c0f0581c4
SHA256 ab32295ad8528b009b1a9f45595c50c83b39b7324715d2207f6e10dcb8d0cca8
SHA512 d5b46a8e039c4025221b14d5406ae28546b95691f2287043acb59b2e3aef305b2d8245ef48eb3bf3dd90beae4edf78af6b17c5d57f357374c89ecebee090f4c6

C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt

MD5 22fe874f55f0ade058f780de6d359cf5
SHA1 cbb6387d90a526f8ea2943898279c526615583d3
SHA256 a792147cc12ec10e3552bb9f51d4528dd420edeb26741e59c24d6542824ad63b
SHA512 dddac60a2940c1068df87977746a44a1015ce23cde68912633a3b4d6ac6d2c368100a2b42835fef34b8fc9b11bff7be0f2257b2d6dcec277e4cb13aa62b42def

C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt

MD5 6441e1080c836c0c4978f5f30165919b
SHA1 2a365f8ff321967ac209067d58fe6a016b71feb8
SHA256 363d4985ed51d11caaa3893aaedfdf274df0d4d67d0b56b5db96ecdc214a7ce2
SHA512 f708b6fd54e9b7e663c221bfb0297929009a96a2253303a774e3fea622a2388463c957954705a89a93dc70225ab525a0774235f11db949237318f068f259f08b

memory/2176-63-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/2176-186-0x0000000000A00000-0x0000000000A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27967.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F~1.TXT

MD5 1565fb12aed65c905674f1532122889d
SHA1 e72e6352cdebeadc305482217a4741282989b636
SHA256 e15929de85eae6f05b66b23f6062ca1ebb323067267a7d47d102d8ea3c0defa5
SHA512 9f4d151ba20da5d4be38910cca31b841f397404bca52d01deaafe96ece9a8d8394e0de72235640e25fb357f72d7cc6e8fc845055a69c70fb90e7c391851036b4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:32

Reported

2024-06-12 16:34

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\""

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt

MD5 8b228411d918d2c963ea216956fc98a4
SHA1 d27a45e43ce771f419f2728a19cdf84bb39e0c26
SHA256 7cb571b83b173a714608c161bc7ad2ece07fcc884872755ca0fc744c6d55af80
SHA512 5f8a5d4cf207d785c279afa05b0ab9de761a1ac733b1cf0ae1c3bc4bfd92f00306f3409aa4a8547322fa02ad1bda34c592153eff90876ea65bc6c0e08c962df1

C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt

MD5 078c3de8f40eab2f97da1fee31e90dc8
SHA1 10785834dfb8ea962764a9c1f672944392fbfff0
SHA256 43cedaadb016ba86a5ddfe5492859c1ad65d3c73fad13b2bfeeacf47053a5b02
SHA512 bb12b6835ec2854837f86163610538516cf3774a6e98f0c85bc4c3db8b861300af8c31a452e841d5d458f9e9940302f1ad06c48f39465a893b93d85a299319fc

memory/4564-63-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/4564-156-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27967.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9C~1.TXT

MD5 2327b6e86e16dd3ae8edd68e6296cb7d
SHA1 5f97fdc95ab75af67062cd4b54c24919aa1fd6b6
SHA256 6b417f61ac10752bd6736b069022e961e62837d6d8b8042da1ecfb21abc0a54b
SHA512 2faf20f8a71c2418f8223baaeda75cdfc2d0cc895177c0a85ad115f4fd2fa335803868b6eaca12c2798f6d075215a8715f83bcfafc19b887415ba67422ff924e