File name:	085f3ee670b6a487590007684a0ff0e7_JaffaCakes118
Full analysis:	https://app.any.run/tasks/05e9d194-3aa0-4168-b131-302fb5c8dde4
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 14:15:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	085F3EE670B6A487590007684A0FF0E7
SHA1:	3DA36CB2555E24D7514C33D510995B7541D06D88
SHA256:	2DDBB080A7A888A5E77C531CEC63A68EF8FB6DF648113707AC4841FC9B61B516
SSDEEP:	3072:tBJXfiTZ05Uv+qHPhoz6eWTPaHrybQr3H68e2quBFf5cNtphEm8:tBtiTpvHHmmvWyX8eAl+4

.exe	\|	UPX compressed Win32 Executable (38.2)
.exe	\|	Win32 EXE Yoda's Crypter (37.5)
.dll	\|	Win32 Dynamic Link Library (generic) (9.2)
.exe	\|	Win32 Executable (generic) (6.3)
.exe	\|	Win16/32 Executable Delphi generic (2.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	135168
InitializedDataSize:	4096
UninitializedDataSize:	86016
EntryPoint:	0x36440
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
Operation:	write	Name:	1601
Value: 0
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU
Operation:	write	Name:	Xta1
Value: eYxK2YU091U0HrpsjvSIjxvXB02vD1zqtMMayT430zqjaaR30ZM5lXzmyQwo1Be9zn3f3i/Ed95x7XQUSt1wdQ4W47nKxKDz+PyDio/53XhTROVoVfOzqZooK3NLQ5z2P0gKbXXa9JIi3asvbd0qIH6WPZ485hrXWO/j0hvlH9GUjaKLahLtDPPhxz8gJzpeKVwdINds
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU
Operation:	write	Name:	Xqo5
Value: 31187840
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU
Operation:	write	Name:	XqoF
Value: 852819360
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU
Operation:	write	Name:	XqoE
Value: 31187639
(PID) Process:	(1760) 085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU
Operation:	write	Name:	XqoA
Value:

PID	Process	Filename		Type
1760	085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job		binary
		MD5:00F74D852210B5AD3E7345B9E9436856	SHA256:1A0ACFAB0F6828FD341E8646495EB69F62D695664BC34446AF7BD760088BC445

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4844	RUXIMICS.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4844	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1760	085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	POST	200	199.59.243.228:80	http://ceramals.com/	unknown	—	—	malicious
4552	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4844	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
4844	RUXIMICS.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4844	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
archive.org	207.241.224.2	whitelisted
allegro.pl	5.134.213.80	whitelisted
crl.microsoft.com	23.55.104.190 23.55.104.172	whitelisted
www.microsoft.com	2.23.246.101 95.101.149.131	whitelisted
superseh.com	—	unknown
moresonline.com	—	malicious
ceramals.com	199.59.243.228	malicious
slscr.update.microsoft.com	4.175.87.197	whitelisted

PID	Process	Class	Message
1760	085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	Potential Corporate Privacy Violation	ET INFO Unsupported/Fake Windows NT Version 5.0
1760	085f3ee670b6a487590007684a0ff0e7_JaffaCakes118.exe	A Network Trojan was detected	ET MALWARE FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers

General Info

085f3ee670b6a487590007684a0ff0e7_JaffaCakes118

085F3EE670B6A487590007684A0FF0E7

3DA36CB2555E24D7514C33D510995B7541D06D88

2DDBB080A7A888A5E77C531CEC63A68EF8FB6DF648113707AC4841FC9B61B516

3072:tBJXfiTZ05Uv+qHPhoz6eWTPaHrybQr3H68e2quBFf5cNtphEm8:tBtiTpvHHmmvWyX8eAl+4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

SUSPICIOUS

Changes internet zones settings

Reads Microsoft Outlook installation path

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Potential Corporate Privacy Violation

INFO

Reads the computer name

Checks supported languages

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings