Malware Analysis Report

2025-08-10 22:42

Sample ID 250127-zm4gbsvmhy
Target JaffaCakes118_4391ad8bf84c14286443dbc06374322c
SHA256 9d5c477d698b6378ba3f04894036c8003f7a2000046cfa274dfd6b5f6c164953
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

9d5c477d698b6378ba3f04894036c8003f7a2000046cfa274dfd6b5f6c164953

Threat Level: Likely benign

The file JaffaCakes118_4391ad8bf84c14286443dbc06374322c was found to be: Likely benign.

Malicious Activity Summary

discovery

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:50

Reported

2025-01-27 20:53

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 fortresshacker.allalla.com udp
US 104.21.96.1:80 fortresshacker.allalla.com tcp
US 104.21.96.1:80 fortresshacker.allalla.com tcp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 1.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.afternic.com udp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp
US 8.8.8.8:53 179.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2324-0-0x000000007519E000-0x000000007519F000-memory.dmp

memory/2324-1-0x0000000000A90000-0x0000000000AD0000-memory.dmp

memory/2324-2-0x0000000005410000-0x00000000054AC000-memory.dmp

memory/2324-3-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/2324-4-0x0000000005570000-0x0000000005602000-memory.dmp

memory/2324-6-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2324-5-0x0000000005510000-0x000000000551A000-memory.dmp

memory/2324-7-0x0000000005670000-0x00000000056C6000-memory.dmp

memory/2324-8-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2324-9-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2324-10-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2324-19-0x000000007519E000-0x000000007519F000-memory.dmp

memory/2324-20-0x0000000075190000-0x0000000075940000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:50

Reported

2025-01-27 20:53

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fortresshacker.allalla.com udp
US 104.21.64.1:80 fortresshacker.allalla.com tcp
US 104.21.64.1:80 fortresshacker.allalla.com tcp
US 8.8.8.8:53 www.afternic.com udp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp
GB 95.100.195.179:443 www.afternic.com tcp

Files

memory/1868-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/1868-1-0x00000000013D0000-0x0000000001410000-memory.dmp

memory/1868-2-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-3-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-4-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-5-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-14-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/1868-15-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-16-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/1868-17-0x00000000742E0000-0x00000000749CE000-memory.dmp