Malware Analysis Report

2025-08-10 16:45

Sample ID 241014-sz2d6swdlm
Target 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118
SHA256 e2a7bd9a92ea7c9a7d61f087231c0c14d76859132cef9ece8e812d34b7fe4219
Tags
credential_access discovery evasion spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e2a7bd9a92ea7c9a7d61f087231c0c14d76859132cef9ece8e812d34b7fe4219

Threat Level: Shows suspicious behavior

The file 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery evasion spyware stealer

Reads local data of messenger clients

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 15:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 15:34

Reported

2024-10-14 15:37

Platform

win7-20241010-en

Max time kernel

13s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\d.exe

"C:\Users\Admin\AppData\Local\Temp\d.exe"

Network

N/A

Files

memory/1996-0-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-1-0x0000000000401000-0x0000000000426000-memory.dmp

memory/1996-2-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-3-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-4-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-5-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-6-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-7-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-12-0x00000000051F0000-0x00000000051F2000-memory.dmp

memory/2884-13-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\elisha1.jpg

MD5 566efe7e9551ea7a7a193c7d30cea01c
SHA1 18b949be3ee6c33b40d3db4f41f6d651f2e57500
SHA256 10bd1c8ded4e652cf4b9f1695cb7e745a7c339508f18dd00fda06f72b005f744
SHA512 615111a3b2ce52292525ada53f3b6c5f6dd687a899879835e06fa85428da423d30ff4ba1dc7a7fc218bf4e367a6aa7e6b9db66540f3c02f139482350df77c306

\Users\Admin\AppData\Local\Temp\d.exe

MD5 1cf59467542770f50b96b85e48458f18
SHA1 02e04f671ffdabf9e04298f4b1cbaf567d6c531c
SHA256 97049831ea1bd4a9c05412d346360fdb1918df7b62138f574bd696077f5aefb7
SHA512 c96cacb65b26847759cecc44acfb5d7f3fd5687b147c27b666773692d0a9786c12a7813e8c271032882ee23f3cb38ef14df03b2a952415584942631276abb6ef

memory/1996-24-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/1996-25-0x0000000000401000-0x0000000000426000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 15:34

Reported

2024-10-14 15:37

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2276-0-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/2276-1-0x0000000000400000-0x00000000004E9000-memory.dmp