Malware Analysis Report

2025-08-05 11:54

Sample ID 241015-13e94szdje
Target 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118
SHA256 25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8
Tags
credential_access discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8

Threat Level: Shows suspicious behavior

The file 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery spyware stealer upx

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Reads local data of messenger clients

Checks installed software on the system

Looks up external IP address via web service

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:10

Reported

2024-10-15 22:12

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.akamai.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe

"C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"

C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

"C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.akamai.com udp
GB 2.19.117.19:80 whatismyip.akamai.com tcp
US 8.8.8.8:53 smtp.mail.ru udp
RU 94.100.180.160:25 smtp.mail.ru tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 19.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 host.com udp
US 104.21.31.241:80 host.com tcp
US 104.21.31.241:80 host.com tcp
US 104.21.31.241:80 host.com tcp
US 104.21.31.241:80 host.com tcp
US 104.21.31.241:80 host.com tcp
US 8.8.8.8:53 241.31.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/216-0-0x0000000000400000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe

MD5 17efb4c5f996f783e90be1eb0077ba40
SHA1 6631bb0d9dadce58250602b0dba4e3e8f16b6c97
SHA256 b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a
SHA512 c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78

C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

MD5 f02488b2f487ba67a91cc7b766d00001
SHA1 620c522267dafd7e357940b7b12fc237988c0a25
SHA256 f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41
SHA512 3a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960

memory/1740-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1740-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/216-29-0x0000000000400000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufr_reports\NO_PWDS_report_15-10-2024_22-10-16-7F6F77BC-LOMJ.bin

MD5 87e96a9deaed933dc339667929aa0040
SHA1 dd21005b780218b8048e444b7320b300a17a2ca4
SHA256 eb7ec437ab78d3d3c896782e652a7a6210b92a1605617f51966a1fe26574fd89
SHA512 88aaa8560fba758e1bf4e08285e76c3302e46be388abfebe5031bd353afe0a5ad10228e56951736d36b86fb41cca8e13874ababe855952ebe3c270324a9a62b5

memory/216-37-0x0000000000400000-0x00000000004CA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:10

Reported

2024-10-15 22:12

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.akamai.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe

"C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"

C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

"C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.akamai.com udp
GB 2.19.117.19:80 whatismyip.akamai.com tcp
US 8.8.8.8:53 smtp.mail.ru udp
RU 217.69.139.160:25 smtp.mail.ru tcp
US 8.8.8.8:53 host.com udp
US 172.67.180.245:80 host.com tcp
US 172.67.180.245:80 host.com tcp
US 172.67.180.245:80 host.com tcp
US 172.67.180.245:80 host.com tcp
US 172.67.180.245:80 host.com tcp

Files

memory/2120-0-0x0000000000400000-0x00000000004CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\mcuicnt.exe

MD5 17efb4c5f996f783e90be1eb0077ba40
SHA1 6631bb0d9dadce58250602b0dba4e3e8f16b6c97
SHA256 b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a
SHA512 c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78

\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

MD5 f02488b2f487ba67a91cc7b766d00001
SHA1 620c522267dafd7e357940b7b12fc237988c0a25
SHA256 f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41
SHA512 3a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960

memory/2092-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2120-20-0x0000000002270000-0x0000000002278000-memory.dmp

memory/2120-19-0x0000000002270000-0x0000000002278000-memory.dmp

memory/2092-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2120-28-0x0000000000400000-0x00000000004CA000-memory.dmp

memory/2120-29-0x0000000002270000-0x0000000002278000-memory.dmp

memory/2120-30-0x0000000000400000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_15-10-2024_22-10-16-616974B5-GFKD.bin

MD5 3ada5ac63566dbec7924f6107cb2145c
SHA1 d4b3330d25c745931a7ef35e77ffe316c327cd29
SHA256 1374eaff5631a59ebe3b540cd9f6bc91d2d667bf5580c6f5e1dcce6ed69715c2
SHA512 3fdaadb1b8f784044dee67d3406eade53265b4ad97d6a1600d4d2502d5a3e476366590bd204c66bc347d5ef8014de076c6b45ecc5d55171743609fcc59ebdf3e

memory/2120-37-0x0000000000400000-0x00000000004CA000-memory.dmp