Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zcjzyavpam
Target JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6
SHA256 c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922
Tags
defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922

Threat Level: Shows suspicious behavior

The file JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Maps connected drives based on registry

Adds Run key to start application

Modifies WinLogon

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-27 20:36

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Wine C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Wine C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aksjbnvbdhabnsghdhurh = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
PID 1528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
PID 1528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
PID 1528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
PID 1528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
PID 2448 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe

C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

"C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 128

Network

N/A

Files

memory/1528-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1528-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-4-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-2-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-13-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1528-12-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

MD5 437298c4fbec9e4ef812f7324ffaf4b6
SHA1 4468814c74f41a69d7cbc73c0e80edb02889c1f6
SHA256 c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922
SHA512 d9c2ecd4a131466cb49e77016b062e802848cdc70343d7b56a320d5c62222d816540469a58fb4110e807a1762aa4a3f902b4c97c78d1d5bd4d154273ecd6766c

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-28 02:42

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"

Signatures

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 444

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp

Files

N/A