Analysis Overview
SHA256
252bae86c6911ff67073f491a4aa8785171d7d1dcd1258895922dc6c126ae1e3
Threat Level: Shows suspicious behavior
The file JaffaCakes118_63887f8c3d927bd896f4871168ea2539 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Reads WinSCP keys stored on the system
Adds Run key to start application
Checks installed software on the system
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:27
Reported
2025-01-15 22:30
Platform
win7-20240903-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MozillaAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"
Network
| Country | Destination | Domain | Proto |
| RO | 85.121.218.39:80 | tcp | |
| N/A | 127.0.0.1:49205 | tcp | |
| UA | 178.165.69.12:80 | tcp | |
| PL | 87.248.90.36:80 | tcp | |
| N/A | 127.0.0.1:49208 | tcp | |
| N/A | 127.0.0.1:49213 | tcp | |
| HU | 46.249.143.3:80 | tcp | |
| N/A | 127.0.0.1:49217 | tcp | |
| PL | 89.230.194.114:80 | tcp | |
| N/A | 127.0.0.1:49221 | tcp | |
| BG | 84.43.176.224:80 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| PK | 180.149.219.59:80 | tcp | |
| N/A | 127.0.0.1:49229 | tcp | |
| PL | 83.28.216.202:80 | tcp | |
| N/A | 127.0.0.1:49233 | tcp | |
| RU | 31.41.12.32:80 | tcp | |
| N/A | 127.0.0.1:49237 | tcp | |
| NL | 212.187.77.64:80 | tcp | |
| N/A | 127.0.0.1:49241 | tcp | |
| PL | 84.38.80.9:80 | tcp | |
| N/A | 127.0.0.1:49245 | tcp | |
| DE | 62.143.199.24:80 | tcp | |
| N/A | 127.0.0.1:49249 | tcp | |
| PL | 91.189.34.14:80 | tcp | |
| N/A | 127.0.0.1:49253 | tcp | |
| US | 99.40.31.58:80 | tcp | |
| N/A | 127.0.0.1:49257 | tcp | |
| TR | 176.240.131.21:80 | tcp | |
| N/A | 127.0.0.1:49261 | tcp | |
| N/A | 127.0.0.1:49264 | tcp | |
| PL | 213.92.178.59:80 | tcp | |
| LT | 212.52.46.24:80 | tcp | |
| N/A | 127.0.0.1:49268 | tcp |
Files
memory/2824-0-0x0000000000180000-0x0000000000252000-memory.dmp
memory/2824-1-0x00000000008F0000-0x00000000009BE000-memory.dmp
memory/2824-2-0x0000000001300000-0x000000000153E000-memory.dmp
memory/2824-3-0x0000000001300000-0x000000000154D000-memory.dmp
memory/2824-4-0x0000000001300000-0x000000000153E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:27
Reported
2025-01-15 22:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63887f8c3d927bd896f4871168ea2539.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |