Malware Analysis Report

2025-08-05 15:16

Sample ID 240825-hwh4bashpp
Target c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118
SHA256 469b12491ca4a39988193fdc1929c2dd8e871f5961d4c70209b536c88c67ee80
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

469b12491ca4a39988193fdc1929c2dd8e871f5961d4c70209b536c88c67ee80

Threat Level: Shows suspicious behavior

The file c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Deletes itself

Indicator Removal: File Deletion

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 07:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 07:05

Reported

2024-08-25 07:08

Platform

win7-20240705-en

Max time kernel

16s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Outlook Express\system.exe C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Outlook Express\system.exe C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Mole.Mol C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Mole.Mol C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File created C:\Windows\Mole.dll C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c Deleteme.bat

Network

N/A

Files

memory/2160-0-0x0000000000400000-0x0000000000504000-memory.dmp

memory/2160-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2160-1-0x0000000000400000-0x0000000000504000-memory.dmp

memory/2160-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

MD5 7bfdbc0952790cb46a1cb492d0acb5e4
SHA1 26494f976ed8b7b21fd3f7a8575a0ded5b34c42a
SHA256 743a0d39099d7392d4abc46f745f3168f1b6798570cb2e503cd8875df0b4a117
SHA512 662c759140dc719328e2309d10c4449448f878b705a297f558e96a310567c28dd7d2d4fddd2131aa68d354006987224917e70b2b25fb88d81c810a4d1c022f35

memory/2160-13-0x0000000000400000-0x0000000000504000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 07:05

Reported

2024-08-25 07:08

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"

Signatures

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Outlook Express\system.exe C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File created C:\Program Files\Outlook Express\system.exe C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Mole.Mol C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Mole.Mol C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
File created C:\Windows\Mole.dll C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c03448393c61f959a240ee5bcb45ef1a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Deleteme.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1920-0-0x0000000000400000-0x0000000000504000-memory.dmp

memory/1920-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1920-2-0x0000000000400000-0x0000000000504000-memory.dmp

memory/1920-3-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1920-8-0x0000000000400000-0x0000000000504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

MD5 7bfdbc0952790cb46a1cb492d0acb5e4
SHA1 26494f976ed8b7b21fd3f7a8575a0ded5b34c42a
SHA256 743a0d39099d7392d4abc46f745f3168f1b6798570cb2e503cd8875df0b4a117
SHA512 662c759140dc719328e2309d10c4449448f878b705a297f558e96a310567c28dd7d2d4fddd2131aa68d354006987224917e70b2b25fb88d81c810a4d1c022f35