Malware Analysis Report

2025-08-06 02:51

Sample ID 241015-za474avhmc
Target 49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118
SHA256 d4ab2abf7b2ff08839344f50cd51fa4305bbd72874134c29dcd1b3f0bdbd8cf5
Tags
credential_access discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d4ab2abf7b2ff08839344f50cd51fa4305bbd72874134c29dcd1b3f0bdbd8cf5

Threat Level: Shows suspicious behavior

The file 49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery persistence spyware stealer upx

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Adds Run key to start application

Checks installed software on the system

UPX packed file

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:31

Reported

2024-10-15 20:34

Platform

win7-20240708-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SonyAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 68.81.38.78:80 tcp
N/A 127.0.0.1:49215 tcp
CL 186.34.56.27:80 tcp
N/A 127.0.0.1:49221 tcp
VE 186.164.97.4:80 tcp
N/A 127.0.0.1:49225 tcp
PH 49.145.33.8:80 tcp
N/A 127.0.0.1:49229 tcp
PK 119.154.98.226:80 tcp
N/A 127.0.0.1:49233 tcp
KZ 109.239.37.15:80 tcp
N/A 127.0.0.1:49237 tcp
PA 190.140.78.64:80 tcp
N/A 127.0.0.1:49241 tcp
JP 118.86.148.68:80 tcp
N/A 127.0.0.1:49246 tcp
KZ 95.58.204.87:80 tcp
N/A 127.0.0.1:49250 tcp
US 184.170.52.21:80 tcp
N/A 127.0.0.1:49254 tcp
US 72.188.44.39:80 tcp
N/A 127.0.0.1:49257 tcp
AR 186.122.16.8:80 tcp
N/A 127.0.0.1:49261 tcp
N/A 127.0.0.1:49265 tcp
CL 190.54.93.177:80 tcp
N/A 127.0.0.1:49269 tcp
KZ 95.58.125.30:80 tcp
PT 78.130.56.18:80 tcp
N/A 127.0.0.1:49274 tcp

Files

memory/2084-5-0x0000000000400000-0x000000000063E000-memory.dmp

memory/2084-4-0x000000000057E000-0x000000000063D000-memory.dmp

memory/2084-3-0x0000000000400000-0x000000000063E000-memory.dmp

memory/2084-0-0x0000000000400000-0x000000000063E000-memory.dmp

memory/2084-2-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2084-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2084-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2084-8-0x0000000000400000-0x000000000063E000-memory.dmp

memory/2084-7-0x000000000057E000-0x000000000063D000-memory.dmp

memory/2084-17-0x0000000000400000-0x000000000063E000-memory.dmp

memory/2084-18-0x0000000000400000-0x000000000063E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:31

Reported

2024-10-15 20:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A