Malware Analysis Report

2025-03-15 08:22

Sample ID 241021-aj7xxazfpn
Target 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118
SHA256 9f1d2a6e48f68ff174717c8330208815a1dbfe1eaa0651cf26bb49b87d07b384
Tags
collection defense_evasion discovery evasion execution impact persistence ransomware trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9f1d2a6e48f68ff174717c8330208815a1dbfe1eaa0651cf26bb49b87d07b384

Threat Level: Likely malicious

The file 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection defense_evasion discovery evasion execution impact persistence ransomware trojan

Deletes shadow copies

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer Phishing Filter

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 00:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 00:15

Reported

2024-10-21 00:18

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\explorer.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ehonybwq = "\"C:\\Windows\\evypgqom.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipecho.net N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1900 set thread context of 2576 N/A C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\evypgqom.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\evypgqom.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 ufazywo.copypastes.net udp
US 8.8.8.8:53 ipecho.net udp
US 34.160.111.145:80 ipecho.net tcp
US 8.8.8.8:53 uvirinuc.copypastes.net udp
US 8.8.8.8:53 abevepuxeh.copypastes.net udp
US 8.8.8.8:53 yjibo.copypastes.net udp
US 8.8.8.8:53 uvwfijuvo.copypastes.net udp
US 8.8.8.8:53 gdepafaby.copypastes.net udp
US 8.8.8.8:53 ixoxoqwdar.copypastes.net udp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 usfsoresy.copypastes.net udp
US 8.8.8.8:53 afolaceh.copypastes.net udp
US 8.8.8.8:53 ytutozacu.copypastes.net udp
US 8.8.8.8:53 alosyvuval.copypastes.net udp
US 8.8.8.8:53 yrusaj.copypastes.net udp
US 8.8.8.8:53 owaxa.copypastes.net udp
US 8.8.8.8:53 ewepal.copypastes.net udp
US 8.8.8.8:53 utybyte.copypastes.net udp
US 8.8.8.8:53 ahyjupupyv.copypastes.net udp
US 8.8.8.8:53 isoxokylyqw.copypastes.net udp
US 154.35.32.5:443 tcp
US 8.8.8.8:53 osyry.copypastes.net udp
US 8.8.8.8:53 gzuqadrdumo.copypastes.net udp
US 8.8.8.8:53 osykytyzgfo.copypastes.net udp
US 8.8.8.8:53 ozjrur.copypastes.net udp
US 8.8.8.8:53 unyd.copypastes.net udp
US 8.8.8.8:53 yfevyqyjnri.copypastes.net udp
US 8.8.8.8:53 ilevejsji.copypastes.net udp
US 8.8.8.8:53 udakiga.copypastes.net udp
US 8.8.8.8:53 owoxuky.copypastes.net udp
US 8.8.8.8:53 ypozeqob.copypastes.net udp

Files

memory/1900-0-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1900-2-0x0000000000230000-0x0000000000284000-memory.dmp

memory/2576-5-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/2576-4-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/1900-8-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2576-7-0x0000000000150000-0x00000000001C1000-memory.dmp

C:\ProgramData\equpigymawodulyx\iqojibaw

MD5 2507b6d48b0ea79589db0f1ae3c5519e
SHA1 712f2f6f86afebe3eff5a5429c6084eaf1996c54
SHA256 044c15c5615fd998214c5bdf51dc86ea5ba90956b2df7ef66ac0e04e4234d7eb
SHA512 f092950308270a532a2d0c7b54b33012af529393f026511d0d5409f9bab8ae2eac1f0a926a801d30cb464fab7344e60f6801fb89ba637d96774e39173a8e2605

memory/2576-19-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/2576-18-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/2576-14-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/2576-20-0x0000000000150000-0x00000000001C1000-memory.dmp

memory/2576-23-0x0000000000150000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 00:15

Reported

2024-10-21 00:18

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omomywul = "\"C:\\Windows\\yswfenys.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipecho.net N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1536 set thread context of 3632 N/A C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\yswfenys.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\yswfenys.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 iqigsb.copypastes.net udp
US 8.8.8.8:53 ipecho.net udp
US 34.160.111.145:80 ipecho.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 ijewa.copypastes.net udp
US 8.8.8.8:53 apaxufed.copypastes.net udp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 elejowe.copypastes.net udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 icugyt.copypastes.net udp
US 8.8.8.8:53 asihuffto.copypastes.net udp
US 8.8.8.8:53 vkyso.copypastes.net udp
US 8.8.8.8:53 ynudigewyp.copypastes.net udp
US 8.8.8.8:53 oxysuqoxa.copypastes.net udp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 uktty.copypastes.net udp
US 8.8.8.8:53 umisizehov.copypastes.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 htavuxe.copypastes.net udp
US 8.8.8.8:53 efugofyni.copypastes.net udp
US 8.8.8.8:53 uzixupydek.copypastes.net udp
US 8.8.8.8:53 elibkva.copypastes.net udp
US 8.8.8.8:53 lwzqywoq.copypastes.net udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 uvnvogohop.copypastes.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 uvyhygejiqa.copypastes.net udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 ywycufery.copypastes.net udp
US 8.8.8.8:53 ybanjb.copypastes.net udp
NL 194.109.206.212:443 tcp
US 8.8.8.8:53 yxjf.copypastes.net udp
US 8.8.8.8:53 ehemixala.copypastes.net udp
US 8.8.8.8:53 idiwpvrkih.copypastes.net udp
US 8.8.8.8:53 opaxiqazyl.copypastes.net udp
US 8.8.8.8:53 ykhqyx.copypastes.net udp
US 8.8.8.8:53 ykoxyhec.copypastes.net udp
US 8.8.8.8:53 ilxn.copypastes.net udp

Files

memory/1536-1-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1536-2-0x0000000002230000-0x0000000002284000-memory.dmp

memory/3632-4-0x0000000001240000-0x00000000012B1000-memory.dmp

memory/3632-6-0x0000000001240000-0x00000000012B1000-memory.dmp

memory/1536-8-0x0000000002230000-0x0000000002284000-memory.dmp

memory/1536-7-0x0000000000400000-0x00000000004AC000-memory.dmp

C:\ProgramData\equpigymawodulyx\iqojibaw

MD5 2507b6d48b0ea79589db0f1ae3c5519e
SHA1 712f2f6f86afebe3eff5a5429c6084eaf1996c54
SHA256 044c15c5615fd998214c5bdf51dc86ea5ba90956b2df7ef66ac0e04e4234d7eb
SHA512 f092950308270a532a2d0c7b54b33012af529393f026511d0d5409f9bab8ae2eac1f0a926a801d30cb464fab7344e60f6801fb89ba637d96774e39173a8e2605

memory/3632-18-0x0000000001240000-0x00000000012B1000-memory.dmp

memory/3632-13-0x0000000001240000-0x00000000012B1000-memory.dmp

memory/3632-24-0x0000000001240000-0x00000000012B1000-memory.dmp