Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zdbd7avpbq
Target JaffaCakes118_4375ccd5831118c67cc584ac6cddb136
SHA256 648cd5aa61222565eb922abfdb582f276601fb5515594a2e0a8a81f670e62346
Tags
discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

648cd5aa61222565eb922abfdb582f276601fb5515594a2e0a8a81f670e62346

Threat Level: Shows suspicious behavior

The file JaffaCakes118_4375ccd5831118c67cc584ac6cddb136 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx

ACProtect 1.3x - 1.4x DLL software

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:38

Platform

win7-20240729-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nstF01D.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo\ = "{00020803-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C} C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2204 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
PID 2756 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\~EFED.cmd

C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp

C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp checknewversion 27012550183fa /B

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.widestep.com udp
US 76.223.54.146:80 www.widestep.com tcp

Files

memory/2204-0-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 2e402be8220c5142fd1db6ac3221bdb2
SHA1 823f4938545750c5315d8680a3486062a32e8225
SHA256 397cb7c5f9633c95da1876e08764fa586dd38348386509029e1a128c2c661996
SHA512 0a2b61f7da610ae4f9420f11884aadc6c97d7bfe46c306a06ecc038fec28ca2143296de2ec788dafdcfd2e208b21b229e037d61cba4f63fb8e350414abfa67b7

memory/2204-6-0x0000000003A30000-0x00000000045AA000-memory.dmp

memory/1960-10-0x0000000000400000-0x0000000000F7A000-memory.dmp

memory/1960-14-0x0000000000360000-0x00000000003AD000-memory.dmp

memory/1960-19-0x0000000000400000-0x0000000000F7A000-memory.dmp

memory/1960-20-0x00000000016C0000-0x000000000223A000-memory.dmp

memory/1960-25-0x00000000016C0000-0x000000000223A000-memory.dmp

memory/1960-24-0x0000000000360000-0x00000000003AD000-memory.dmp

memory/1960-22-0x0000000000400000-0x0000000000F7A000-memory.dmp

memory/1960-21-0x00000000016C0000-0x000000000223A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

memory/1960-48-0x0000000003D50000-0x0000000003E82000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/1960-59-0x0000000003D50000-0x0000000003E82000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\access40.dll

MD5 03d7001fd3a1c48bd61e7da9928cd36d
SHA1 5c8418aa6259469bd0b36f3ab3dc5ef3f901dfa9
SHA256 d3965b42b5256a9ee000034ebaee39c7972510dc203ddacd6301bc776c4ae4a7
SHA512 dfc944d9683151a4ad31b3b5fbe231354c5194d3a0f1bcd12a71da82269a9810fc91346ef2a3770813d79b66851e757c4647baebee5eb69f7c9b829e82669c12

memory/1960-61-0x0000000003F90000-0x00000000040B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~EFED.cmd

MD5 f23d7dba35e84b4f45a4098c6275118c
SHA1 3cadc6cdf93b166d3a8196e6ebd633b19ea900c4
SHA256 ed6611e14f7a5e7bba8a47488ff6c8725fd6da7fb2ecac9e1b753a18ad73da60
SHA512 92d96168aaae8aded2571db771338b663d9e9116adcffa99d85951cb8c64946eaa8f431d6bdb04d0fc9b166b9c74e9319ea12d77f790344cc4e754eedf61c370

\Windows\SysWOW64\nstF01D.tmp

MD5 c3fb03ae11e469074820d70ed8ab17eb
SHA1 7bf4db632861dab3253e24d1992c1986be89ac41
SHA256 3802a2b5ea0279094090457e7926b3e0fcdabec974dc918a7d6cd2c1baa33aa6
SHA512 9ae1ba3b3bd8c50b236d277889955359cb2de1f9fb48f709793df9e9e99fc338271eafedd4a0b06da36aea8e4ddf817ded33e75dc6665ba008c284e3cf03ce26

\Users\Admin\AppData\Local\Temp\~EFEC.tmp

MD5 345171d2a2660b7cd4b8cdd978eda569
SHA1 516276cfe91c90458cc0f98a09cfaa841494d702
SHA256 c0b239bb834ad52cd1eb5f50d9cef83682e05f7d3fd3c3f5a1c8f106eadcb70b
SHA512 75e372de5494e487cfe57ae98c71576b18309e4b9e6988609c541c67a5ad91ea034ffba61fa281ed530cc60d07a163a5defd731f748164913e77f42ff77d3118

memory/2756-68-0x0000000002070000-0x000000000220B000-memory.dmp

memory/2604-72-0x0000000000400000-0x000000000059B000-memory.dmp

memory/2756-70-0x0000000002070000-0x000000000220B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

memory/2204-90-0x0000000000400000-0x000000000121B000-memory.dmp

memory/1960-91-0x0000000000360000-0x00000000003AD000-memory.dmp

memory/1960-23-0x0000000000400000-0x0000000000F7A000-memory.dmp

memory/1960-94-0x00000000016C0000-0x000000000223A000-memory.dmp

memory/1960-93-0x0000000000400000-0x0000000000F7A000-memory.dmp

memory/1960-95-0x00000000016C0000-0x000000000223A000-memory.dmp

memory/2604-99-0x0000000000400000-0x000000000059B000-memory.dmp

memory/1960-100-0x00000000016C0000-0x000000000223A000-memory.dmp

memory/1960-101-0x0000000000400000-0x0000000000F7A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\ioB_english.ini

MD5 897dd2da994474958eb68073ea1004ee
SHA1 c20164256d02c0e96e5a54d7c6774046def626fa
SHA256 1efa1168b2a396772006f7ccd6b1833862c137055567174e049749c72e408334
SHA512 074af5cde982bc044c967ebfc07594365d70c222e4bc582a65cb2e5cc804df2fdb5058dfe296e250abcad1a2ea5ba6bcdc6e20849bb4f7f7ff2973f0357602b3

memory/1960-181-0x0000000000400000-0x0000000000F7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-28 03:16

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/2616-0-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

memory/2616-1-0x0000000000400000-0x000000000121B000-memory.dmp