Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zcmqtsvpan
Target JaffaCakes118_4372bf8109ce46e1043ea597a55a5763
SHA256 f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10

Threat Level: Shows suspicious behavior

The file JaffaCakes118_4372bf8109ce46e1043ea597a55a5763 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Deletes itself

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-27 20:37

Platform

win7-20241023-en

Max time kernel

123s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A
File created C:\Windows\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\alg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\alg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadNetworkName = "Network 3" C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5 C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\22-73-d8-da-7a-f5 C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecisionReason = "1" C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecisionReason = "1" C:\Windows\alg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\alg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\alg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\alg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecisionTime = 40506cf1fa70db01 C:\Windows\alg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecisionTime = 40506cf1fa70db01 C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5} C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecision = "0" C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecision = "0" C:\Windows\alg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\alg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\alg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"

C:\Windows\alg.exe

"C:\Windows\alg.exe" /service

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a$$.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.51299.org udp
US 3.33.130.190:80 www.51299.org tcp
US 3.33.130.190:80 www.51299.org tcp
US 3.33.130.190:80 www.51299.org tcp
US 3.33.130.190:80 www.51299.org tcp

Files

memory/1236-0-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1236-1-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\alg.exe

MD5 4372bf8109ce46e1043ea597a55a5763
SHA1 135dd2a511c6b7515768b0973a5a4575ccddaa3e
SHA256 f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10
SHA512 6e3de390deac8afb60383f58d5bad25ef40e71121d0c92e9c0d79a6a68dea7057cbcf577027d8d7bca8470b0b1e7eded3c98bc77ac6f9ed7370c8b91a44d5841

C:\Users\Admin\AppData\Local\Temp\$$a$$.bat

MD5 b2e44fe40c43b7cec146c22d81c2cab0
SHA1 9066f9fba27532e59a46fb5dee83b893af9eaa73
SHA256 ef92d3db27d889102fe1036ad0012a9df8c21eba8fbfb1aac17493efccd9b1a1
SHA512 0ef4ace5dcc235d35f31965982ed8c2992ab0715f0572990633a9b9eed4667eb49193eb0ba0b0e1027fb6b0bc52ec9d36eb38ea0ab7b8f84d65d4fd196077bc4

memory/1236-14-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2340-16-0x0000000000400000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-28 02:45

Platform

win10v2004-20241007-en

Max time kernel

121s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A
File created C:\Windows\alg.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\alg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\alg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\alg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"

C:\Windows\alg.exe

"C:\Windows\alg.exe" /service

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a$$.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.51299.org udp
US 15.197.148.33:80 www.51299.org tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 15.197.148.33:80 www.51299.org tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 15.197.148.33:80 www.51299.org tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 15.197.148.33:80 www.51299.org tcp

Files

memory/5008-0-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5008-1-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\alg.exe

MD5 4372bf8109ce46e1043ea597a55a5763
SHA1 135dd2a511c6b7515768b0973a5a4575ccddaa3e
SHA256 f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10
SHA512 6e3de390deac8afb60383f58d5bad25ef40e71121d0c92e9c0d79a6a68dea7057cbcf577027d8d7bca8470b0b1e7eded3c98bc77ac6f9ed7370c8b91a44d5841

memory/5008-10-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a$$.bat

MD5 b2e44fe40c43b7cec146c22d81c2cab0
SHA1 9066f9fba27532e59a46fb5dee83b893af9eaa73
SHA256 ef92d3db27d889102fe1036ad0012a9df8c21eba8fbfb1aac17493efccd9b1a1
SHA512 0ef4ace5dcc235d35f31965982ed8c2992ab0715f0572990633a9b9eed4667eb49193eb0ba0b0e1027fb6b0bc52ec9d36eb38ea0ab7b8f84d65d4fd196077bc4

memory/2936-12-0x0000000000400000-0x000000000047E000-memory.dmp