Malware Analysis Report

2025-08-06 02:50

Sample ID 241015-zjg4xswdlb
Target 49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118
SHA256 acdd870b59bc8a3d464199fe6f72138dfb57f98bd60b0f5e6295d643025cbaee
Tags
credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

acdd870b59bc8a3d464199fe6f72138dfb57f98bd60b0f5e6295d643025cbaee

Threat Level: Shows suspicious behavior

The file 49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery spyware stealer

Reads local data of messenger clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Checks computer location settings

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:44

Reported

2024-10-15 20:47

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:44

Reported

2024-10-15 20:47

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49ead46b04d9bdf2050500dfad0d40d6_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Roaming\Patch-5.xx.exe

MD5 56f60965bb7cdfe328d691adb40591cc
SHA1 53481715a3822ae1498b2e58cb96c4e7e80c6179
SHA256 a11c768f5897a072ab01e36092afd0002c5ad825be609ef6f5fe4891f86ecf2d
SHA512 d2c2bdfffd4860336e25fad2f138c2160a085c9654e948ada0d8afb761e63c9ab723b6bc22b3f5fcf68341689ab3f6e1d96cbd6f8720fd1b061dfeb6f14a9fef