Malware Analysis Report

2025-08-11 04:37

Sample ID 250119-pd42dsxmdq
Target JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85
SHA256 4faa52890c2fcfd276f09e14307b986a6f09b364a3e0e9b78c951b08e23b9931
Tags
collection discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4faa52890c2fcfd276f09e14307b986a6f09b364a3e0e9b78c951b08e23b9931

Threat Level: Shows suspicious behavior

The file JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:13

Reported

2025-01-19 12:16

Platform

win7-20241010-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msimxq32.dll,AfOReqV" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msimxq32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A
File created C:\Windows\SysWOW64\msimxq32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe C:\Windows\SysWOW64\WerFault.exe

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe msimxq32.dll,AfOReqV

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 320

Network

N/A

Files

memory/2776-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2776-1-0x0000000000340000-0x000000000039A000-memory.dmp

memory/2776-3-0x00000000022A0000-0x0000000002326000-memory.dmp

memory/2776-2-0x00000000022A0000-0x0000000002326000-memory.dmp

memory/2776-5-0x00000000022A0000-0x0000000002326000-memory.dmp

C:\Windows\SysWOW64\msimxq32.dll

MD5 b61079ff3b82d5ce715dcce36f815e68
SHA1 71a92150736132de10df4ad5a3ea2dd6a91e1292
SHA256 8d4b07ac95d671e9db6b337c9ff5605c881845f274cc2a9f82cb447d3a2c44ca
SHA512 535ef20486069a6c3aa4b91870f8bd41f8a6c56e526005adbc185890a5db68e8c4bb8e87a435839e71495e7719968b727cb35a90bfbcba72a2ab97ca6a97f3bb

memory/2776-12-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2780-11-0x0000000010000000-0x0000000010086000-memory.dmp

memory/2776-14-0x0000000000340000-0x000000000039A000-memory.dmp

memory/2780-16-0x0000000010000000-0x0000000010086000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:13

Reported

2025-01-19 12:16

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msisdb32.dll,AfOReqV" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msisdb32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A
File opened for modification C:\Windows\SysWOW64\msisdb32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe msisdb32.dll,AfOReqV

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3088-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3088-1-0x0000000000530000-0x000000000058A000-memory.dmp

memory/3088-2-0x0000000002810000-0x0000000002896000-memory.dmp

memory/3088-4-0x0000000002810000-0x0000000002896000-memory.dmp

memory/3088-6-0x0000000002810000-0x0000000002896000-memory.dmp

C:\Windows\SysWOW64\msisdb32.dll

MD5 b61079ff3b82d5ce715dcce36f815e68
SHA1 71a92150736132de10df4ad5a3ea2dd6a91e1292
SHA256 8d4b07ac95d671e9db6b337c9ff5605c881845f274cc2a9f82cb447d3a2c44ca
SHA512 535ef20486069a6c3aa4b91870f8bd41f8a6c56e526005adbc185890a5db68e8c4bb8e87a435839e71495e7719968b727cb35a90bfbcba72a2ab97ca6a97f3bb

memory/4844-9-0x0000000010000000-0x0000000010086000-memory.dmp

memory/3088-3-0x0000000002810000-0x0000000002896000-memory.dmp

memory/3088-10-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3088-12-0x0000000002810000-0x0000000002896000-memory.dmp

memory/3088-11-0x0000000000530000-0x000000000058A000-memory.dmp

memory/4844-13-0x0000000010000000-0x0000000010086000-memory.dmp

memory/4844-25-0x0000000010000000-0x0000000010086000-memory.dmp