Malware Analysis Report

2025-06-16 06:56

Sample ID 241104-cwfeja1dna
Target 8eae60fba1baabbe66a794be50ca376b_JaffaCakes118
SHA256 f49e8cfd307af20bf391126c25c801c0c1fe96f08b725de7cbd1f539a805209d
Tags
discovery evasion trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f49e8cfd307af20bf391126c25c801c0c1fe96f08b725de7cbd1f539a805209d

Threat Level: Shows suspicious behavior

The file 8eae60fba1baabbe66a794be50ca376b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan upx

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:25

Reported

2024-11-04 04:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 172

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:25

Reported

2024-11-04 04:54

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWow64\nsinet.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nsinet.exe C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nsinet.exe C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button1.gif C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button4.gif C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button3.gif C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\dialerexe.ini C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\DesktopIcons\SuperBabes.lnk C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Center\tray1.ico C:\Windows\SysWow64\nsinet.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\Common\module.php C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button2.gif C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\dialer.ico C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\js\js_api_dialer.php C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20081127191147\instant access.exe C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dialexe.zl C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Windows\dialexe.epk C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
File created C:\Windows\dialerexe.ini C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\nsinet.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9} C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run" C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"

C:\Windows\SysWow64\nsinet.exe

C:\Windows\SysWow64\nsinet.exe /run -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4212-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4212-1-0x0000000010000000-0x000000001004C000-memory.dmp

memory/4212-3-0x0000000010000000-0x000000001004C000-memory.dmp

memory/4212-5-0x0000000000400000-0x0000000000448908-memory.dmp

memory/4212-4-0x0000000010000000-0x000000001004C000-memory.dmp

C:\Windows\dialerexe.ini

MD5 5db3292eb66934e506b0641a9a21163c
SHA1 f7b8bcfa24705ea914ebd458fcc7ad573cd9e718
SHA256 0be1e5a749bf507214f9eff565e639182e12a543945762f65ffba6ad963854f2
SHA512 da9e9f825b12961437a2ae5c9116d5298cdb3aa1b44a654c86d88c46d7fd79c04d518acbe76cc1b866b84f9e950aa3546340804a5a602712f9770a92ef96e192

C:\Program Files (x86)\Instant Access\Multi\20081127191147\instant access.exe

MD5 8eae60fba1baabbe66a794be50ca376b
SHA1 679660ed5d2db29597f6c01c71ad3133e413e1d2
SHA256 f49e8cfd307af20bf391126c25c801c0c1fe96f08b725de7cbd1f539a805209d
SHA512 02d2b1c08ef6d5968b3bce4ac3ede220e8d4394e71a822b3d148937071c5a9c7e74670e64536ae3fee7fe3f50f7eea8a2b1bc4e4bf12c2ccaba0940b5a63abfe

C:\Program Files (x86)\Instant Access\DesktopIcons\SuperBabes.lnk

MD5 96890fa4e8f3b9a96c21e3d8ee73904d
SHA1 6c509f1ddeeeef7c933fcecb29897433704c4173
SHA256 fb753b089fdf4bdd5e519a1b8da4e4ca6fb4e329b0617005984049de36277bc6
SHA512 e412f2ba64dff2ba0fbeb313f9d4ddea64cb66cb671d30bda6b7edf137de380fbedd3fa6f495c923e91157f3bd32edc288667d31b5b37b2c6c13e416d56cabca

C:\Program Files (x86)\Instant Access\Multi\20081127191147\Common\module.php

MD5 38cd8b10bf16640a9d8734a7ee018908
SHA1 60f75378e573d259daec6e4bf02975e39245ac5a
SHA256 53774fd7e7b48c4489d750b021a3d564e075ac84fd10fc3c8c6aa7affdd50d16
SHA512 9f5042200c2f819599ef23de9fa4543d21d57fc074c34dc5c7c70e13cc3c4fc2bc1c015a84310429cf527e455a0ff83897e90da458b4575b0777a93676761528

memory/1592-65-0x0000000000400000-0x0000000000448908-memory.dmp

memory/1592-70-0x0000000010000000-0x000000001004C000-memory.dmp

memory/4212-72-0x0000000000400000-0x000000000041B000-memory.dmp