Malware Analysis Report

2025-08-06 02:50

Sample ID 241015-zbnxhazcqq
Target 49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118
SHA256 27751bb51090ddd1428a953e75a5058311511f86e253889fee1ea2ff2a4a6eb0
Tags
credential_access discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

27751bb51090ddd1428a953e75a5058311511f86e253889fee1ea2ff2a4a6eb0

Threat Level: Shows suspicious behavior

The file 49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery persistence spyware stealer upx

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Adds Run key to start application

Checks installed software on the system

UPX packed file

Unsigned PE

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:32

Reported

2024-10-15 20:35

Platform

win7-20241010-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AmdAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
AR 170.51.228.48:80 tcp
N/A 127.0.0.1:49207 tcp
AR 186.157.199.18:80 tcp
N/A 127.0.0.1:49214 tcp
IL 85.64.144.46:80 tcp
N/A 127.0.0.1:49217 tcp
RU 89.108.113.8:80 tcp
N/A 127.0.0.1:49221 tcp
IN 117.211.21.133:80 tcp
N/A 127.0.0.1:49225 tcp
AR 200.114.241.234:80 tcp
N/A 127.0.0.1:49229 tcp
DE 89.167.37.70:80 tcp
N/A 127.0.0.1:49233 tcp
MX 187.184.183.221:80 tcp
N/A 127.0.0.1:49238 tcp
N/A 127.0.0.1:49242 tcp
IN 115.113.69.39:80 tcp
KR 182.211.217.75:80 tcp
N/A 127.0.0.1:49246 tcp
KZ 31.169.0.12:80 tcp
N/A 127.0.0.1:49249 tcp
AR 200.112.177.32:80 tcp
N/A 127.0.0.1:49253 tcp
CO 186.86.211.20:80 tcp
N/A 127.0.0.1:49257 tcp
MA 105.139.136.65:80 tcp
N/A 127.0.0.1:49261 tcp
FJ 119.235.87.27:80 tcp
N/A 127.0.0.1:49265 tcp
RO 5.13.149.68:80 tcp
N/A 127.0.0.1:49269 tcp

Files

memory/576-2-0x0000000002010000-0x0000000002011000-memory.dmp

memory/576-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/576-0-0x0000000000400000-0x000000000063D000-memory.dmp

memory/576-1-0x0000000000400000-0x000000000063D000-memory.dmp

memory/576-5-0x0000000000400000-0x000000000063D000-memory.dmp

memory/576-4-0x000000000057D000-0x000000000063C000-memory.dmp

memory/576-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/576-8-0x0000000000400000-0x000000000063D000-memory.dmp

memory/576-7-0x000000000057D000-0x000000000063C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:32

Reported

2024-10-15 20:35

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3868 -ip 3868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 304

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A