Malware Analysis Report

2025-08-05 23:17

Sample ID 250115-2dgbjsyper
Target JaffaCakes118_63887f8c3d927bd896f4871168ea2539
SHA256 252bae86c6911ff67073f491a4aa8785171d7d1dcd1258895922dc6c126ae1e3
Tags
credential_access discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

252bae86c6911ff67073f491a4aa8785171d7d1dcd1258895922dc6c126ae1e3

Threat Level: Shows suspicious behavior

The file JaffaCakes118_63887f8c3d927bd896f4871168ea2539 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery persistence spyware stealer upx

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Reads WinSCP keys stored on the system

Adds Run key to start application

Checks installed software on the system

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:27

Reported

2025-01-15 22:30

Platform

win7-20240903-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MozillaAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"

Network

Country Destination Domain Proto
RO 85.121.218.39:80 tcp
N/A 127.0.0.1:49205 tcp
UA 178.165.69.12:80 tcp
PL 87.248.90.36:80 tcp
N/A 127.0.0.1:49208 tcp
N/A 127.0.0.1:49213 tcp
HU 46.249.143.3:80 tcp
N/A 127.0.0.1:49217 tcp
PL 89.230.194.114:80 tcp
N/A 127.0.0.1:49221 tcp
BG 84.43.176.224:80 tcp
N/A 127.0.0.1:49225 tcp
PK 180.149.219.59:80 tcp
N/A 127.0.0.1:49229 tcp
PL 83.28.216.202:80 tcp
N/A 127.0.0.1:49233 tcp
RU 31.41.12.32:80 tcp
N/A 127.0.0.1:49237 tcp
NL 212.187.77.64:80 tcp
N/A 127.0.0.1:49241 tcp
PL 84.38.80.9:80 tcp
N/A 127.0.0.1:49245 tcp
DE 62.143.199.24:80 tcp
N/A 127.0.0.1:49249 tcp
PL 91.189.34.14:80 tcp
N/A 127.0.0.1:49253 tcp
US 99.40.31.58:80 tcp
N/A 127.0.0.1:49257 tcp
TR 176.240.131.21:80 tcp
N/A 127.0.0.1:49261 tcp
N/A 127.0.0.1:49264 tcp
PL 213.92.178.59:80 tcp
LT 212.52.46.24:80 tcp
N/A 127.0.0.1:49268 tcp

Files

memory/2824-0-0x0000000000180000-0x0000000000252000-memory.dmp

memory/2824-1-0x00000000008F0000-0x00000000009BE000-memory.dmp

memory/2824-2-0x0000000001300000-0x000000000153E000-memory.dmp

memory/2824-3-0x0000000001300000-0x000000000154D000-memory.dmp

memory/2824-4-0x0000000001300000-0x000000000153E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:27

Reported

2025-01-15 22:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A