Malware Analysis Report

2025-08-06 02:50

Sample ID 241015-zj5j8azgrr
Target 49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118
SHA256 ea265c182d21d8c6f1869358ac56b26fa0d672f891253d6cb16ea9134fe13568
Tags
collection credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ea265c182d21d8c6f1869358ac56b26fa0d672f891253d6cb16ea9134fe13568

Threat Level: Shows suspicious behavior

The file 49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery spyware stealer

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads user/profile data of local email clients

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:45

Reported

2024-10-15 20:48

Platform

win7-20240729-en

Max time kernel

16s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempServices.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\TempServices.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempServices.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempServices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempServices.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\TempServices.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\TempServices.exe

"C:\Users\Admin\AppData\Local\TempServices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ya.ru udp
US 8.8.8.8:53 daemon656.freehostia.com udp
US 198.23.57.62:80 daemon656.freehostia.com tcp

Files

C:\Users\Admin\AppData\Local\TempServices.exe

MD5 e8c13edd0c811f324eb3c83f612cbdd1
SHA1 7d3aed4c01764c973bbeef3be43a254ddb436983
SHA256 1907aeca57ef7e1481086998de39c97551e2f494f3a122c988aff779e8ea5c12
SHA512 a2ca26ae9bebb979a3c119c855d34b35d4c1ef1d5adfaa64c133894a50a5b2c78eb45bb2a3dea90c503fcca8927afe52605015c92a4c0584d5eb58ff9882e097

memory/1216-11-0x0000000013140000-0x000000001317E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:45

Reported

2024-10-15 20:48

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempServices.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49ebd86c4cf621dbdaac2236d7ef45dd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\TempServices.exe

"C:\Users\Admin\AppData\Local\TempServices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\TempServices.exe

MD5 e8c13edd0c811f324eb3c83f612cbdd1
SHA1 7d3aed4c01764c973bbeef3be43a254ddb436983
SHA256 1907aeca57ef7e1481086998de39c97551e2f494f3a122c988aff779e8ea5c12
SHA512 a2ca26ae9bebb979a3c119c855d34b35d4c1ef1d5adfaa64c133894a50a5b2c78eb45bb2a3dea90c503fcca8927afe52605015c92a4c0584d5eb58ff9882e097