Malware Analysis Report

2025-08-10 22:42

Sample ID 250127-znwswavna1
Target JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db
SHA256 6ad5247f54eaec05a23e025f393291f39a6686ab38f34d5cda8fd868b627d157
Tags
discovery persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6ad5247f54eaec05a23e025f393291f39a6686ab38f34d5cda8fd868b627d157

Threat Level: Shows suspicious behavior

The file JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Unexpected DNS network traffic destination

Executes dropped EXE

Deletes itself

Event Triggered Execution: Component Object Model Hijacking

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:54

Platform

win7-20240903-en

Max time kernel

65s

Max time network

150s

Command Line

C:\Windows\system32\services.exe

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\services.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\services.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\services.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe C:\Windows\SysWOW64\cmd.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\clsid C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1488793075-819845221-1497111674-1000\\$568593a3dddae9c8c724dfe7808f99db\\n." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$568593a3dddae9c8c724dfe7808f99db\\n." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\services.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 j.maxmind.com udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
DE 83.133.123.20:53 udp
US 68.43.151.4:16470 udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
JP 61.86.46.6:16470 udp
GB 31.220.245.6:16470 udp
US 98.202.239.12:16470 udp
IT 176.201.3.13:16470 udp
CA 74.58.117.244:16470 udp
JP 219.45.20.15:16470 udp
IN 117.196.94.16:16470 udp
US 74.90.163.20:16470 udp
US 69.203.193.21:16470 udp
US 96.37.211.239:16470 udp
US 69.137.29.238:16470 udp
US 24.3.50.23:16470 udp
CA 24.226.53.23:16470 udp
US 74.232.61.25:16470 udp
US 75.132.37.30:16470 udp
US 174.45.212.34:16470 udp
US 99.58.23.38:16470 udp
BG 78.90.110.40:16470 udp
US 173.18.180.40:16470 udp
JP 59.85.103.46:16470 udp
US 75.64.169.46:16470 udp
DE 91.64.147.227:16470 udp
US 68.4.83.225:16470 udp
US 68.186.30.224:16470 udp
US 174.35.203.51:16470 udp
US 71.67.96.59:16470 udp
CZ 80.243.101.219:16470 udp
US 173.93.251.66:16470 udp
US 24.180.147.71:16470 udp
IT 151.24.130.215:16470 udp
US 129.21.131.77:16470 udp
US 72.181.205.77:16470 udp
US 108.18.214.213:16470 udp
SE 46.162.113.83:16470 udp
JP 114.185.113.84:16470 udp
US 50.81.60.90:16470 udp
US 66.176.236.91:16470 udp
US 74.78.212.209:16470 udp
US 76.109.133.206:16470 udp
SE 83.233.84.92:16470 udp
RU 109.161.94.94:16470 udp
AU 114.72.167.205:16470 udp
UA 176.36.75.205:16470 udp
US 68.46.232.95:16470 udp
FI 89.166.98.102:16470 udp
GB 92.40.94.103:16470 udp
CA 96.22.254.105:16470 udp
US 76.185.204.110:16470 udp
US 50.130.85.197:16470 udp
FR 88.121.18.111:16470 udp
BE 81.164.196.114:16470 udp
US 174.49.99.116:16470 udp
US 76.29.122.116:16470 udp
US 68.119.169.194:16470 udp
US 184.167.104.192:16470 udp
US 50.151.38.189:16470 udp
US 71.113.236.188:16470 udp
KR 1.250.54.187:16470 udp
US 137.30.248.185:16470 udp
CA 174.3.235.184:16470 udp
JP 126.6.63.183:16470 udp
US 184.20.60.183:16470 udp
US 68.105.52.183:16470 udp
TW 1.172.160.117:16470 udp
UA 109.86.184.120:16470 udp
US 69.140.86.175:16470 udp
RU 94.127.222.174:16470 udp
US 65.49.182.123:16470 udp
FR 176.31.119.124:16470 udp
US 24.177.50.171:16470 udp
ES 84.125.76.127:16470 udp
JP 210.236.118.128:16470 udp
CA 24.202.202.162:16470 udp
US 75.252.243.161:16470 udp
US 68.61.126.161:16470 udp
SG 111.91.78.160:16470 udp
US 67.162.192.128:16470 udp
US 68.12.145.156:16470 udp
US 24.206.138.156:16470 udp
JP 58.95.7.156:16470 udp
US 72.223.109.153:16470 udp
US 76.85.156.150:16470 udp
US 76.78.69.150:16470 udp
US 66.190.99.147:16470 udp
US 69.244.15.147:16470 udp
US 208.114.32.146:16470 udp
RU 193.151.210.128:16470 udp
RU 136.169.201.144:16470 udp
CH 46.127.97.143:16470 udp
UA 213.109.95.130:16470 udp
IN 1.23.132.132:16470 udp
US 24.191.110.0:16470 udp
US 69.253.224.138:16470 udp
JP 1.114.248.136:16470 udp
US 68.58.169.134:16470 udp
US 68.7.163.134:16470 udp
IR 85.133.224.133:16470 udp
US 174.66.128.140:16470 udp
NO 84.215.57.132:16470 udp
US 98.214.92.141:16470 udp
FR 78.251.170.145:16470 udp
US 71.20.116.159:16470 udp
US 65.184.94.166:16470 udp
US 24.25.57.128:16470 udp
IN 14.98.169.127:16470 udp
US 174.49.155.127:16470 udp
JP 122.16.127.127:16470 udp
PT 62.169.119.127:16470 udp
US 76.127.148.168:16470 udp
US 67.242.140.126:16470 udp
RU 78.139.83.126:16470 udp
US 174.137.5.125:16470 udp
US 75.74.193.124:16470 udp
US 68.184.83.172:16470 udp
FR 178.32.107.173:16470 udp
IN 175.100.143.123:16470 udp
RU 109.124.39.123:16470 udp
US 75.132.153.179:16470 udp
SK 188.167.180.180:16470 udp
US 66.74.49.195:16470 udp
JP 125.192.58.195:16470 udp
KR 39.117.151.196:16470 udp
US 128.3.22.197:16470 udp
GB 86.21.73.200:16470 udp
US 76.114.235.201:16470 udp
US 69.127.121.202:16470 udp
CL 186.78.213.204:16470 udp
RU 178.207.35.98:16470 udp
US 76.98.232.97:16470 udp
US 98.247.51.205:16470 udp
DE 178.202.215.94:16470 udp
US 69.8.165.94:16470 udp
SE 130.236.219.205:16470 udp
US 69.253.140.93:16470 udp
SE 83.252.181.92:16470 udp
JP 180.58.11.206:16470 udp
JM 67.230.44.92:16470 udp
US 68.11.209.210:16470 udp
US 71.90.110.90:16470 udp
JP 210.20.153.212:16470 udp
FI 88.148.251.89:16470 udp
US 98.213.22.89:16470 udp
US 70.15.205.85:16470 udp
SE 80.245.233.212:16470 udp
US 68.104.53.84:16470 udp
SG 222.164.235.83:16470 udp
US 68.174.153.213:16470 udp
US 24.52.87.83:16470 udp

Files

memory/1956-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1956-1-0x000000000042D000-0x0000000000434000-memory.dmp

memory/1956-2-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1956-3-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1244-4-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/1244-8-0x0000000002A70000-0x0000000002A71000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\$568593a3dddae9c8c724dfe7808f99db\n

MD5 fb4e3236959152a057bc6b7603c538ef
SHA1 b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4
SHA256 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0
SHA512 993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

memory/472-13-0x0000000000090000-0x0000000000091000-memory.dmp

C:\$Recycle.Bin\S-1-5-18\$568593a3dddae9c8c724dfe7808f99db\@

MD5 4e528876b4f4f13af564b3f6b697928f
SHA1 8535c7ce522477aebd468fc7505400dca0a11bd2
SHA256 41bdcc22308342206d405095566041bf7da8647f290340d3bb8663f1fa8c0731
SHA512 85742858b309a0fb665d6dca40ed038626b69e6352b3bccc8362ce823ec74ce9f700588091a32448afc168ba515c26304abc950d1f8244f088ab133fc2e27b6a

memory/1956-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1956-19-0x000000000042D000-0x0000000000434000-memory.dmp

memory/1244-21-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/472-22-0x0000000000090000-0x0000000000091000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:54

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3756129449-3121373848-4276368241-1000\\$862b21c0dc2d33ab5918d90b8ea31d19\\n." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\clsid C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 j.maxmind.com udp
N/A 127.0.0.1:80 tcp
DE 83.133.123.20:53 udp
N/A 127.0.0.1:80 tcp
DE 83.133.123.20:53 udp
N/A 127.0.0.1:80 tcp
DE 83.133.123.20:53 udp
N/A 127.0.0.1:80 tcp
DE 83.133.123.20:53 udp
N/A 127.0.0.1:80 tcp
DE 83.133.123.20:53 udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 20.123.133.83.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/528-2-0x0000000000400000-0x0000000000436000-memory.dmp

memory/528-1-0x000000000042D000-0x0000000000434000-memory.dmp

memory/528-0-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/528-3-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3500-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/3500-8-0x0000000002B90000-0x0000000002B91000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\$862b21c0dc2d33ab5918d90b8ea31d19\n

MD5 fb4e3236959152a057bc6b7603c538ef
SHA1 b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4
SHA256 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0
SHA512 993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2

memory/528-10-0x0000000000400000-0x0000000000436000-memory.dmp

memory/528-11-0x000000000042D000-0x0000000000434000-memory.dmp