Malware Analysis Report

2025-08-05 14:54

Sample ID 250704-wpbbsadp6y
Target JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6
SHA256 0d124a5139362fdde526271c3dda5ced134c04951fd0328ed1122ed387783d5c
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d124a5139362fdde526271c3dda5ced134c04951fd0328ed1122ed387783d5c

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:05

Reported

2025-07-04 18:07

Platform

win10v2004-20250502-en

Max time kernel

142s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"

C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp" /SL5="$5006C,2953972,66560,C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"

C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe" /path="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.list.fullmedialibrary.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3988-1-0x0000000000401000-0x000000000040B000-memory.dmp

memory/3988-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp

MD5 e5ab3419ba8234f91656b6e9015e7fce
SHA1 c73e80d369aed62c997a9cd509ba251d8d7875ac
SHA256 009b5f9a122e0e645680c7a207fd3a7c2c53d4609f4ca16cff0d7b02ab09c209
SHA512 fca6580f974ffea96ee4158653c19f2e26764ec9654a82c820bb29e3a5c94a1f486d43e43db064662397d8aa401f6c4aec9cfa264b1e79e6461389331c99c1fb

memory/1916-7-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe

MD5 58131cb103a51ea087004f410606a05d
SHA1 5cd47985419def794b9efe10d813c89ef1a8d69d
SHA256 35bdad85f460a45214654a8747c7c3fa8a2a3ceafdf017166dd0a69cf5969cf7
SHA512 22d7390fb3a02db233d405b08f6db5e7983770b404f635546a326a0a252127168e875a1271103b0ebb6c5b150a9121d2ccc5f88a4faacd682c4de65e94d6971d

memory/5248-27-0x0000000000400000-0x0000000000C33000-memory.dmp

memory/1916-31-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3988-32-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5248-33-0x0000000000400000-0x0000000000C33000-memory.dmp

memory/5248-35-0x0000000000400000-0x0000000000C33000-memory.dmp