Malware Analysis Report

2025-06-16 06:57

Sample ID 241104-bpzddszcre
Target 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118
SHA256 e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9
Tags
discovery evasion trojan upx
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9

Threat Level: Shows suspicious behavior

The file 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan upx

Checks whether UAC is enabled

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:19

Reported

2024-11-04 03:39

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 96

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:19

Reported

2024-11-04 03:37

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nsinet.exe C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nsinet.exe C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button1.gif C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button4.gif C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button3.gif C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\js\js_api_dialer.php C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\dialerexe.ini C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\Common\module.php C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button2.gif C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\dialer.ico C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\instant access.exe C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dialexe.zl C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Windows\dialexe.epk C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
File created C:\Windows\dialerexe.ini C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9} C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run" C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 scripts.dlv4.com udp
NL 95.211.219.65:80 scripts.dlv4.com tcp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 65.219.211.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 95.211.219.65:80 scripts.dlv4.com tcp
US 8.8.8.8:53 ww1.dlv4.com udp
US 208.91.196.145:80 ww1.dlv4.com tcp
US 8.8.8.8:53 145.196.91.208.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1516-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1516-3-0x0000000010000000-0x000000001004C000-memory.dmp

memory/1516-4-0x0000000010000000-0x000000001004C000-memory.dmp

memory/1516-5-0x0000000000400000-0x0000000000443908-memory.dmp

memory/1516-1-0x0000000010000000-0x000000001004C000-memory.dmp

C:\Windows\dialerexe.ini

MD5 9a9b71d41b964aa053d25f020edcc118
SHA1 6a885fc6ceb994f43a1f41723156e83101f35b05
SHA256 c44ddfc857788d4a937db7940aecedc7a99afe13ca8f936247d0eb6566b8bca9
SHA512 a4af3e4f11e4669067324ae8643aba7a7da6bad170bbb7914d3bdb96e9a889f6b9378269b444c41b44cad02f3abad751a9d2c3da83c8194fbb27efe32122ee64

C:\Program Files (x86)\Instant Access\Multi\20091016121022\instant access.exe

MD5 8e70b7105035839b36c4af79ab9dc3e7
SHA1 ec864e373d03cd56b1ec2ec3ddda159eed49c66c
SHA256 e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9
SHA512 a4dec9c687a8dda095c9a5b413a9de2d15f588d4227fa8212db7bca647c3eed97faec27d08db07c66ef1d1e211f4e74efeb3b721b0ed7dfe3ff3986e88d6524a

C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk

MD5 c2abc8d78153f0af3ed8dfd28fde7012
SHA1 046e93d5ffde6cc19f4003972ce03979a763eff3
SHA256 59d3699e07144dd3dc71e2b2be331ec9c8d9e2f734d17021680b4e31bd40386b
SHA512 426c7acee0993a360bc5e1b8297835b5a4f963ff07bb79c07a87bda80a6192ffff5b2779b5105ba12591259ee675bb262ce1c7c77992307369bc254673361a60