Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-2tcy3avbkg
Target 765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118
SHA256 65e87e21a627624e05521d071894d8041bae2f904fdf480d5133d17d672d55eb
Tags
discovery persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65e87e21a627624e05521d071894d8041bae2f904fdf480d5133d17d672d55eb

Threat Level: Known bad

The file 765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence spyware stealer upx

Modifies WinLogon for persistence

Reads user/profile data of web browsers

UPX packed file

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:52

Reported

2024-10-27 22:55

Platform

win7-20241010-en

Max time kernel

141s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
PID 2528 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp

Network

Country Destination Domain Proto
US 8.8.8.8:53 registryeasy.com udp
US 13.248.169.48:80 registryeasy.com tcp
US 8.8.8.8:53 zonetf.com udp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 8.8.8.8:53 onloneservermonitoring.com udp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 8.8.8.8:53 zonere.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.4:80 www.google.com tcp
N/A 127.0.0.1:57354 tcp
US 8.8.8.8:53 zonetk.com udp
GB 172.217.169.4:80 www.google.com tcp

Files

memory/2528-1-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2528-2-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1288-5-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1288-8-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1288-6-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2528-15-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Roaming\F580.591

MD5 9d90ea713c3ffd29270a1eda38e10934
SHA1 ef3e17a0037815dd871710c6df3f5b3ec5edf745
SHA256 be75712344a2cc670b42e387f1bab693660f219f8958f0e9b47cb53337a6dbd3
SHA512 b718e15a9a0dc7f07ed8c58323a67c7416650b92e665e05b824283667836ef92187ea90eb16e58737bb162a868f04c887564c532aae671e640c3d3e9761e43b7

memory/1528-79-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1528-81-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1528-80-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2528-82-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Roaming\F580.591

MD5 58eeaa432882ef0966a054b3030f0449
SHA1 c26997c41077e83a67f329e5b69498defef71959
SHA256 cca4fbbc12daa3024667c78339481bc76a85d72c8cd0c4c434f6291e6da4cfcd
SHA512 e30d7efb6be3d5ec32991d07a44e6c6ace9cd4062fba1834ac1388250752f3cef0db94f937647dd01f4be54e894032808fcea72b2181e2805cbf735a34f58adc

C:\Users\Admin\AppData\Roaming\F580.591

MD5 f9dd8cb0cd9ea2bde34cb6eae89b924f
SHA1 f334b7eb987e3788b112e6aaae14755b42453834
SHA256 0d2626085af2d17c31980b108b925170ded7f5ebcd1011ce2de9c12f305ea2ad
SHA512 2c97e583dca7f7e7108d8d5af5cf849658facd6a33342d0d6eb3b04da99688f7dc2c56b170479eb82648a032b57a5674936c8fb8c94f4c24e429ea3f49a65abc

memory/2528-173-0x0000000000400000-0x0000000000466000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:52

Reported

2024-10-27 22:55

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 468

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A