Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-2t9yssvfkp
Target 765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118
SHA256 099abdd3556d9f39ee963c663479fb2aa74af294ddadae6ef83ba71b7d035564
Tags
discovery persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

099abdd3556d9f39ee963c663479fb2aa74af294ddadae6ef83ba71b7d035564

Threat Level: Known bad

The file 765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence spyware stealer upx

Modifies WinLogon for persistence

Reads user/profile data of web browsers

UPX packed file

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:53

Reported

2024-10-27 22:56

Platform

win7-20241023-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\shell.exe" C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
PID 2836 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp

Network

Country Destination Domain Proto
US 8.8.8.8:53 blogsmonitoringservice.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 protectyourpc-11.com udp
GB 216.58.212.196:80 www.google.com tcp
GB 216.58.212.196:80 www.google.com tcp
US 8.8.8.8:53 bigtelevideochanel.com udp
US 8.8.8.8:53 findeffectivecasino.com udp

Files

memory/2836-1-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2836-3-0x0000000000400000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

MD5 f8775d59e14353a65c51d73941bb1eac
SHA1 08e1c47cb4c435f6467ccd98ce6233191a19bc6e
SHA256 d941e62d3b14fc2874389ead5466b24e8d025409204e28457caeb4c805bbda39
SHA512 96b0426df5149fb8d9be95201d6e345c026a1d1bd2dfda1b3edecafedc14727138cc39b95a9dbb609355781eb834fda04f3a87679c52b52a6f4db9f761591b98

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

MD5 5cbdda63a1ab4ba2a3ab0415e5029977
SHA1 3a8c2244af844e508c713151696385923150fd91
SHA256 537f1cf82d603620e3225925490b8063944c24e2a116fb7de4bf512a79b1573d
SHA512 4129672537876c6803b9a8d276a5534721533ac01b799fcc7da3709b5d140880d4a04e30bb5642f41a4df9f88965ae59a9c80a25650e921a6e0b70c30d424eaa

memory/1768-93-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1768-96-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1768-95-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2836-97-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2072-169-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2072-171-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2836-172-0x0000000000400000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

MD5 e39bf41053064fbb4700a35fa1ffa919
SHA1 68cf15592057538b0af820e35d6e483711c2ab54
SHA256 87ca061313246ef15ec12805afd4063b07b57a6bf424f9b53676d89888860fe2
SHA512 07ee79538fba41c11d985bd8b3172aeba2818e4918643f17582827c158164895276b624df4203b2829b909af0b0f43f805a94f57d1e5e50624f6771dc229f3cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:53

Reported

2024-10-27 22:56

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 492

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A