Malware Analysis Report

2025-08-10 22:42

Sample ID 250127-zn3w7avnbw
Target JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c
SHA256 e3076feb6a742e78f15f9ee37f105f07742735b1bb21902247f66a6fc80ffa66
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e3076feb6a742e78f15f9ee37f105f07742735b1bb21902247f66a6fc80ffa66

Threat Level: Shows suspicious behavior

The file JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:55

Platform

win7-20241023-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\38874838\38874838.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\PROGRA~3\38874838\38874838.exe N/A
N/A N/A C:\PROGRA~3\38874838\38874838.exe N/A
N/A N/A C:\PROGRA~3\38874838\38874838.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\38874838 = "C:\\ProgramData\\38874838\\38874838.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\38874838 = "C:\\PROGRA~3\\38874838\\38874838.exe" C:\PROGRA~3\38874838\38874838.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\38874838\38874838.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\PROGRA~3\38874838\38874838.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\38874838\38874838.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start C:\PROGRA~3\38874838\38874838.exe /i

C:\PROGRA~3\38874838\38874838.exe

C:\PROGRA~3\38874838\38874838.exe /i

Network

Country Destination Domain Proto
BA 77.78.239.234:80 tcp
BA 77.78.239.234:80 tcp
BA 77.78.239.234:80 tcp
BA 77.78.239.234:80 tcp
BA 77.78.239.234:80 tcp

Files

memory/2952-1-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2952-3-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2952-4-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2952-2-0x0000000010000000-0x000000001017C000-memory.dmp

C:\ProgramData\38874838\38874838.bat

MD5 1f77f141a107c362847b7bac9b527b22
SHA1 e918a7f0710880d2ca1986b9538d49d35fa8f36b
SHA256 f3415b5d3ad8d5697d79609aa3c7786ab439a94700304be53a39feb1b3d304b8
SHA512 6f1919c83b76d11665fa3ecc40e15dba179b2185af4dda63af85514bc31627bbb609aa46907bce39712088e71b9fe92d5bd639a4bf37cc1919a5a617ecf0efff

memory/2952-14-0x0000000010000000-0x000000001017C000-memory.dmp

\PROGRA~3\38874838\38874838.exe

MD5 439491ed0b0f851a44db6c1fd5a2680c
SHA1 dbdaf8b9ef8de7c29a286ad439e8b03edf8a1973
SHA256 e3076feb6a742e78f15f9ee37f105f07742735b1bb21902247f66a6fc80ffa66
SHA512 93c6eca81efc090b7086c4015eece3c9652199cadd00d824db51317cb3747245f8959d92e67fc3860cd29f86a1a8b2fe737c837eb3825f12c01fb482d1770625

memory/2684-22-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-23-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-21-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-25-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-30-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-31-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-32-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-33-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-34-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-35-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-37-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-38-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-39-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-40-0x0000000010000000-0x000000001017C000-memory.dmp

memory/2684-41-0x0000000010000000-0x000000001017C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26558531 = "C:\\ProgramData\\26558531\\26558531.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439491ed0b0f851a44db6c1fd5a2680c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 876

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1400-1-0x0000000010000000-0x000000001017C000-memory.dmp

memory/1400-2-0x0000000010000000-0x000000001017C000-memory.dmp

memory/1400-3-0x0000000010000000-0x000000001017C000-memory.dmp

memory/1400-4-0x0000000010000000-0x000000001017C000-memory.dmp

memory/1400-6-0x0000000010000000-0x000000001017C000-memory.dmp

memory/1400-8-0x0000000010000000-0x000000001017C000-memory.dmp