Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r9xy3acg21
Target e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118
SHA256 0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981

Threat Level: Known bad

The file e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:54

Reported

2024-04-06 14:56

Platform

win7-20240221-en

Max time kernel

148s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" C:\Windows\SysWOW64\bootconfig.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bootconfig.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" C:\Windows\SysWOW64\bootconfig.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" C:\Windows\SysWOW64\bootconfig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" C:\Windows\SysWOW64\bootconfig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" C:\Windows\SysWOW64\bootconfig.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bootconfig.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bootconfig.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bootconfig.exe C:\Windows\SysWOW64\bootconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\bootconfig.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windebug.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File created C:\Windows\windebug.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\windebug.exe C:\Windows\SysWOW64\bootconfig.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"

C:\Windows\SysWOW64\bootconfig.exe

C:\Windows\SYSTEM32\bootconfig.exe

C:\Windows\SysWOW64\bootconfig.exe

C:\Windows\SYSTEM32\bootconfig.exe

Network

N/A

Files

memory/2772-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\bootconfig.exe

MD5 e2c9c053a8ecbbee1ee3ab3a38223ff1
SHA1 de140d66f709865a7c08beff50128e148258851e
SHA256 0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
SHA512 40e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3

memory/2772-19-0x0000000000550000-0x0000000000566000-memory.dmp

memory/2772-25-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1784-29-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2192-32-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1784-33-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:54

Reported

2024-04-06 14:56

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" C:\Windows\SysWOW64\bootconfig.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bootconfig.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" C:\Windows\SysWOW64\bootconfig.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" C:\Windows\SysWOW64\bootconfig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" C:\Windows\SysWOW64\bootconfig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" C:\Windows\SysWOW64\bootconfig.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bootconfig.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bootconfig.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bootconfig.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bootconfig.exe C:\Windows\SysWOW64\bootconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\bootconfig.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windebug.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File created C:\Windows\windebug.exe C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\windebug.exe C:\Windows\SysWOW64\bootconfig.exe N/A
File created C:\Windows\windebug.exe C:\Windows\SysWOW64\bootconfig.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\bootconfig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"

C:\Windows\SysWOW64\bootconfig.exe

C:\Windows\SYSTEM32\bootconfig.exe

C:\Windows\SysWOW64\bootconfig.exe

C:\Windows\SYSTEM32\bootconfig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2992-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\SysWOW64\bootconfig.exe

MD5 e2c9c053a8ecbbee1ee3ab3a38223ff1
SHA1 de140d66f709865a7c08beff50128e148258851e
SHA256 0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
SHA512 40e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3

memory/2992-25-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1980-29-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1136-30-0x0000000000400000-0x0000000000416000-memory.dmp