Malware Analysis Report

2025-03-14 22:28

Sample ID 240407-3ca9kshg29
Target e6195002fecd1cd970e80ab5b2318974_JaffaCakes118
SHA256 bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5

Threat Level: Likely malicious

The file e6195002fecd1cd970e80ab5b2318974_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Disables Task Manager via registry modification

Sets service image path in registry

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:21

Reported

2024-04-07 23:24

Platform

win7-20231129-en

Max time kernel

144s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"

Signatures

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\kernelwind32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" C:\Windows\SysWOW64\kernelwind32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kernelw.sys C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kernelwind32.exe C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kernelwind32.exe C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\kernelwind32.exe N/A
File created C:\Windows\SysWOW64\dllh8jkd1q8.exe C:\Windows\SysWOW64\kernelwind32.exe N/A
File opened for modification C:\Windows\SysWOW64\dllh8jkd1q8.exe C:\Windows\SysWOW64\kernelwind32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\kernelwind32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\kernelwind32.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\kernelwind32.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\kernelwind32.exe
PID 3040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe C:\Windows\SysWOW64\kernelwind32.exe
PID 2360 wrote to memory of 2644 N/A C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\netsh.exe
PID 2360 wrote to memory of 2644 N/A C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\netsh.exe
PID 2360 wrote to memory of 2644 N/A C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\netsh.exe
PID 2360 wrote to memory of 2644 N/A C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable

C:\Windows\SysWOW64\kernelwind32.exe

C:\Windows\system32\kernelwind32.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable

Network

Country Destination Domain Proto
US 8.8.8.8:53 softspydelete.com udp
US 173.239.5.6:80 softspydelete.com tcp
US 8.8.8.8:53 ww9.softspydelete.com udp
US 76.223.26.96:80 ww9.softspydelete.com tcp
US 173.239.5.6:80 softspydelete.com tcp
US 173.239.5.6:80 softspydelete.com tcp
US 173.239.5.6:80 softspydelete.com tcp

Files

memory/3040-1-0x0000000000400000-0x000000000040A000-memory.dmp

\Windows\SysWOW64\kernelwind32.exe

MD5 e6195002fecd1cd970e80ab5b2318974
SHA1 c40a15e0f8b2e521f0ae481b3339d2893970a178
SHA256 bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
SHA512 445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

memory/3040-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2360-12-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\dllh8jkd1q8.exe

MD5 96dacbc0d6125a5baf02d286ea2d8277
SHA1 726416cce8f3b661070f9b3f30ea212e4621503e
SHA256 393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443
SHA512 8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3

memory/2360-24-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:21

Reported

2024-04-07 23:24

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"

Signatures

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" C:\Windows\SysWOW64\kernelwind32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\kernelwind32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" C:\Windows\SysWOW64\kernelwind32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dllh8jkd1q8.exe C:\Windows\SysWOW64\kernelwind32.exe N/A
File opened for modification C:\Windows\SysWOW64\kernelw.sys C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kernelwind32.exe C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kernelwind32.exe C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kernelw.sys C:\Windows\SysWOW64\kernelwind32.exe N/A
File created C:\Windows\SysWOW64\kernelwind32.exe C:\Windows\SysWOW64\kernelwind32.exe N/A
File created C:\Windows\SysWOW64\dllh8jkd1q8.exe C:\Windows\SysWOW64\kernelwind32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kernelwind32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\kernelwind32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable

C:\Windows\SysWOW64\kernelwind32.exe

C:\Windows\system32\kernelwind32.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 softspydelete.com udp
US 173.239.5.6:80 softspydelete.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ww9.softspydelete.com udp
US 13.248.148.254:80 ww9.softspydelete.com tcp
US 8.8.8.8:53 6.5.239.173.in-addr.arpa udp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
US 173.239.5.6:80 softspydelete.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 173.239.5.6:80 softspydelete.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 173.239.5.6:80 softspydelete.com tcp

Files

memory/2844-1-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\kernelwind32.exe

MD5 e6195002fecd1cd970e80ab5b2318974
SHA1 c40a15e0f8b2e521f0ae481b3339d2893970a178
SHA256 bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
SHA512 445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d

memory/2844-6-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\kernelw.sys

MD5 cc43010c40ec6907f2d0526c55495c16
SHA1 04f9b28b79824e20c77db44189db718b683971cf
SHA256 3b3fd4601090089980c93ff7607e9d3e863ce51155c56e0093871493f7a0f875
SHA512 b21ec29fc85f124a47ce46fb15f47643a4dc2ff521548746ca6a0d39030353c95b2cda4afe7372a85568ba464f162bf3c8060ec469e63f41775731994a6cb8f3

memory/5332-10-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\dllh8jkd1q8.exe

MD5 96dacbc0d6125a5baf02d286ea2d8277
SHA1 726416cce8f3b661070f9b3f30ea212e4621503e
SHA256 393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443
SHA512 8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3

memory/5332-21-0x0000000000400000-0x000000000040A000-memory.dmp