Malware Analysis Report

2025-08-06 02:51

Sample ID 241015-yms5xsyajm
Target 49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118
SHA256 6b547003e79ea94eb8192a4d33e13aeed014116627dfde76654d90f97e326c5c
Tags
discovery credential_access persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6b547003e79ea94eb8192a4d33e13aeed014116627dfde76654d90f97e326c5c

Threat Level: Shows suspicious behavior

The file 49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery credential_access persistence spyware stealer upx

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 19:54

Reported

2024-10-15 19:57

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 19:54

Reported

2024-10-15 19:57

Platform

win7-20240903-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SmartIndex = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49b7acd5095d6c22b08ea2a9a7ff6309_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AR 190.103.209.49:80 tcp
N/A 127.0.0.1:49192 tcp
RO 79.118.28.13:80 tcp
N/A 127.0.0.1:49197 tcp
US 74.65.251.46:80 tcp
N/A 127.0.0.1:49201 tcp
MK 31.11.82.4:80 tcp
N/A 127.0.0.1:49205 tcp
MK 89.205.72.126:80 tcp
N/A 127.0.0.1:49209 tcp
US 72.129.150.217:80 tcp
N/A 127.0.0.1:49213 tcp
KR 121.131.42.65:80 tcp
N/A 127.0.0.1:49217 tcp
KR 123.214.226.194:80 tcp
N/A 127.0.0.1:49222 tcp
US 72.229.142.42:80 tcp
N/A 127.0.0.1:49226 tcp
KR 118.36.89.66:80 tcp
N/A 127.0.0.1:49229 tcp
US 66.229.101.11:80 tcp
N/A 127.0.0.1:49233 tcp
US 68.33.174.31:80 tcp
N/A 127.0.0.1:49237 tcp
US 67.149.243.13:80 tcp
N/A 127.0.0.1:49241 tcp
KR 203.252.165.63:80 tcp
N/A 127.0.0.1:49245 tcp
CA 174.114.252.24:80 tcp
N/A 127.0.0.1:49250 tcp

Files

memory/2308-1-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2308-4-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2308-3-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2308-6-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2308-5-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2308-7-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2308-8-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2308-14-0x0000000000400000-0x00000000005C4000-memory.dmp