Malware Analysis Report

2025-08-05 23:17

Sample ID 250115-14aq1sxjcs
Target JaffaCakes118_633b0b777e7833682d3b27d889421112
SHA256 1476418fe69abf69d07b8824533174b4312c48da8b27bef508ab9c5fd1ef1131
Tags
adware discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1476418fe69abf69d07b8824533174b4312c48da8b27bef508ab9c5fd1ef1131

Threat Level: Known bad

The file JaffaCakes118_633b0b777e7833682d3b27d889421112 was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion stealer trojan

UAC bypass

Installs/modifies Browser Helper Object

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:11

Reported

2025-01-15 22:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\addins\MediaPlay.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\REGSVR32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE
PID 2480 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe C:\Windows\syswow64\REGSVR32.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\syswow64\REGSVR32.EXE

C:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll

Network

Country Destination Domain Proto
BR 200.183.154.2:80 tcp
BR 200.183.154.2:80 tcp
KR 211.179.234.210:8000 211.179.234.210 tcp

Files

memory/2480-5-0x0000000004340000-0x0000000004752000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:11

Reported

2025-01-15 22:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\addins\MediaPlay.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REGSVR32.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\REGSVR32.EXE

C:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BR 200.183.154.2:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
KR 211.179.234.210:8000 211.179.234.210 tcp
US 8.8.8.8:53 210.234.179.211.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A