Malware Analysis Report

2025-04-13 21:39

Sample ID 240825-lkla3sxbqh
Target c073afd8de644949c2c3598230216a66_JaffaCakes118
SHA256 c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d
Tags
discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d

Threat Level: Likely benign

The file c073afd8de644949c2c3598230216a66_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary

discovery

Checks computer location settings

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:38

Platform

win7-20240705-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\""

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DDFB6C12481E9E8B48DF4F206E6D_LogFile.txt

MD5 0afbd43579a9c07b24bfd1df3d9c5a91
SHA1 bd4719178500e5e0e0cae4747a16fba9effef5ac
SHA256 1bdbe06decceca9523823f1c9b2c34d1656152124ab4321888eada132e764f61
SHA512 4ff63efd5f820a5c5266a16c57f752ad074707680cf6036d1d812f12d7b39a9898ab9dc6c01e93aa164fa3399887898e6c7fa4ca199d60901bd138dfd4e779a4

memory/2772-65-0x0000000000470000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24436.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DD~1.TXT

MD5 80224460f59b41e96bcdc2f61f2cf089
SHA1 a974c29bfc8c4ae9b6baaa900e4b71ebb2eed947
SHA256 39133a3ef8637bd48a9f2ff3a1c43c50de7f975bf3d073a0940097f8be6a8166
SHA512 ce4d33895be10f3c0f29e5b08f924b40c11cfbfd54f39333b176d1631bd1c38f304fdf40126d15e782c406bd2b912514fb477b9440d54ac22d185223d372f1fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:38

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\""

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 log.web-installer-assets.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt

MD5 c0e2005d15ca85b8b0032b5939cc5655
SHA1 953ef2d872ffd164142665d3e076d0a55127ef3f
SHA256 17367c28e010e828dc6aa1abf73d86136e0b2e33ce886f09365e950955a98ce3
SHA512 69642555cbea5de86d600bab7b63b0b0e92fbacf8e986711a4b2004c2696912fc15d149c7c9d011b46ae3e3aba4852d9b791c07fb1f76b9c9c685aeb78a43e74

C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt

MD5 82902efa5f6150b52a85cf3bbdf1571a
SHA1 6a001febc1a27a38180f8379447ef48b87b5a51f
SHA256 1b63b6faf31df104a1d46a542bba5f9ac1364017470805afb3cfad52ac898b30
SHA512 5e4c5b5ab82fb96699129c95b2d709ccc4a58b14f6acc52afbeedd099d558591fba269c2316da63ae2ee2173b9f674624ed89c48473202d524f6dd8ad2dd2631

memory/3292-63-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24436.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B25~1.TXT

MD5 1c84506eaaf182f37aae28bee14594f5
SHA1 03f50088d9649b61ba4bdb9de5bad45847fd1ce1
SHA256 4c074f3139d82b90a8235e788179e528b0fc636e1d04c3494976ecc6b01168fc
SHA512 bf619e79adf529c77d34926af6fd9349aba81c4e25890ceba58599175fb9987b44e04c6acc5f8227467a0c95e662f458fa4b6a36351ce9e05a0a1d59ec485bad