Malware Analysis Report

2025-08-10 16:44

Sample ID 241014-vm5xyazenk
Target 434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118
SHA256 59be93e99051b11574d3221f17d185e76ab559cf674eda3c51907789fd4820b5
Tags
discovery credential_access persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

59be93e99051b11574d3221f17d185e76ab559cf674eda3c51907789fd4820b5

Threat Level: Shows suspicious behavior

The file 434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery credential_access persistence spyware stealer upx

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 17:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 17:07

Reported

2024-10-14 17:09

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 17:07

Reported

2024-10-14 17:09

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SmartIndex = "C:\\Users\\Admin\\AppData\\Local\\Temp\\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\434369fc0428cceb84ee1ae49d1b323f_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AR 190.103.209.49:80 tcp
N/A 127.0.0.1:49195 tcp
RO 79.118.28.13:80 tcp
N/A 127.0.0.1:49200 tcp
N/A 127.0.0.1:49203 tcp
US 74.65.251.46:80 tcp
N/A 127.0.0.1:49207 tcp
MK 31.11.82.4:80 tcp
MK 89.205.72.126:80 tcp
N/A 127.0.0.1:49211 tcp
N/A 127.0.0.1:49215 tcp
US 72.129.150.217:80 tcp
N/A 127.0.0.1:49219 tcp
KR 121.131.42.65:80 tcp
N/A 127.0.0.1:49223 tcp
KR 123.214.226.194:80 tcp
N/A 127.0.0.1:49227 tcp
US 72.229.142.42:80 tcp
N/A 127.0.0.1:49231 tcp
KR 118.36.89.66:80 tcp
N/A 127.0.0.1:49235 tcp
US 66.229.101.11:80 tcp
N/A 127.0.0.1:49239 tcp
US 68.33.174.31:80 tcp
US 67.149.243.13:80 tcp
N/A 127.0.0.1:49243 tcp
KR 203.252.165.63:80 tcp
N/A 127.0.0.1:49247 tcp
CA 174.114.252.24:80 tcp
N/A 127.0.0.1:49251 tcp
US 68.44.254.64:80 tcp
N/A 127.0.0.1:49255 tcp

Files

memory/2884-0-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2884-4-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2884-3-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2884-2-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2884-5-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2884-10-0x0000000000400000-0x00000000005C4000-memory.dmp