Malware Analysis Report

2025-08-05 16:52

Sample ID 250127-skz8katrev
Target JaffaCakes118_40dc7fd5758e960d7262657003a1244e
SHA256 d18e876916fd3652f94408aa72e690cbbd05c6091bbebe3f0c23575c69797fb1
Tags
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

d18e876916fd3652f94408aa72e690cbbd05c6091bbebe3f0c23575c69797fb1

Threat Level: Likely benign

The file JaffaCakes118_40dc7fd5758e960d7262657003a1244e was found to be: Likely benign.

Malicious Activity Summary


Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc7fd5758e960d7262657003a1244e.jpg

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc7fd5758e960d7262657003a1244e.jpg

Network

N/A

Files

memory/640-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/640-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

147s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc7fd5758e960d7262657003a1244e.jpg"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc7fd5758e960d7262657003a1244e.jpg"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A