Malware Analysis Report

2025-08-05 14:54

Sample ID 250704-v4fz5scq3y
Target JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec
SHA256 9795982ab78e29ee900f7c46d62d5e5b51b3814a4200e136ecc01a3d6d072db6
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9795982ab78e29ee900f7c46d62d5e5b51b3814a4200e136ecc01a3d6d072db6

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:32

Reported

2025-07-04 17:34

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe = "11000" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 2648

Network

Country Destination Domain Proto
US 8.8.8.8:53 ude.databssint.com udp
US 8.8.8.8:53 cms.dmccint.com udp
US 8.8.8.8:53 engine.dmccint.com udp
GB 142.250.180.14:80 cms.dmccint.com tcp
IL 199.101.114.147:80 engine.dmccint.com tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\System.dll

MD5 62008374a494afeea2ee2ae9eee4c8c0
SHA1 94808fcf0748c437f4d7ffa4d540e054cb014fab
SHA256 9c4affddfa97b268b07c00ac28a2fe617dda806bf55088ccf348da149ee76c1a
SHA512 f584ed647b69ff8ff80450be8f0b267ebb3c97826dbf01d078165ea94b43afd1f00fc58b91d9e8f4d78465d70312c1b1a6ac66583ebdc009b0ce471a6cf149a0

C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\webapphost.dll

MD5 6482716b29a424ade699f29560302f5d
SHA1 4d56bac748e72ce98405a7509c2bb33efe06af59
SHA256 72e73c6a03f37c7cad227b5940d9189a63a8729ef6199ffc068f7dc234ad583f
SHA512 6c58c0e347d772e403ace72a644f395e7918907374fc557970aa617df823823427f8905bed819ac04c25d5280662c7c26e999931ea51800f8ee9f55c9b64f60d

C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\DownloadACC.dll

MD5 dbfaba3a1329a0925530482cfd700b21
SHA1 a6a8e5000c16ba28bea645bb456c101ca19e0a70
SHA256 45289f096984e9af391cbe7b907866f25fbe9a419bd70e435d7ef041aefb7b9f
SHA512 6bd296185dbf0aef232fa9f96d7377fd6f93dd6ccbd97ee3285732c0a897ba5ec60531845e538102fabc0cd5f7fad0c6f32f79ae88875aba58b5e52a4a3f983c