Malware Analysis Report

2025-03-15 04:34

Sample ID 241027-z981bszrhv
Target 7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118
SHA256 dd7115e9b6024c63916aa9acf02c559168b6acb8cd73816ea1a00b4f3a678e92
Tags
credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dd7115e9b6024c63916aa9acf02c559168b6acb8cd73816ea1a00b4f3a678e92

Threat Level: Shows suspicious behavior

The file 7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery spyware stealer

Reads local data of messenger clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks computer location settings

Reads data files stored by FTP clients

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:26

Reported

2024-10-27 21:29

Platform

win7-20241010-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\xxxx.txt

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\xxxx.txt

MD5 a3ec811d5454ce4280cb981ed31b34b0
SHA1 6f8f71e24d999cb900d84af802ac50fd27f7d617
SHA256 203019c854aca4fec8b8ab02c83cebca1308e48d8b73eac8224623bfe2666ffc
SHA512 1f9efba91ed416b866f4d4c0081d80071fc822faa93d5cd0451ce4c268965c0a0d82d19bb4ae5037f1d5fd3082206526f77daed71a575f05e3a5d6843e63b4b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:26

Reported

2024-10-27 21:29

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7606acaa6deeeb6c7c8e1ba8e95b356c_JaffaCakes118.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\xxxx.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\xxxx.txt

MD5 a3ec811d5454ce4280cb981ed31b34b0
SHA1 6f8f71e24d999cb900d84af802ac50fd27f7d617
SHA256 203019c854aca4fec8b8ab02c83cebca1308e48d8b73eac8224623bfe2666ffc
SHA512 1f9efba91ed416b866f4d4c0081d80071fc822faa93d5cd0451ce4c268965c0a0d82d19bb4ae5037f1d5fd3082206526f77daed71a575f05e3a5d6843e63b4b5