Malware Analysis Report

2025-08-06 04:10

Sample ID 240508-3tz92agg77
Target 274af13f898b0747a0549b340bb17ed1_JaffaCakes118
SHA256 7236fb13667086299d0cf8eb8ffb5e013bb0314b392f197d8be523548ca73f06
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7236fb13667086299d0cf8eb8ffb5e013bb0314b392f197d8be523548ca73f06

Threat Level: Shows suspicious behavior

The file 274af13f898b0747a0549b340bb17ed1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 23:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 23:49

Reported

2024-05-08 23:51

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.pc.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
HK 43.135.106.184:80 c.pc.qq.com tcp
HK 43.135.106.184:443 c.pc.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp

Files

\Users\Admin\AppData\Local\Temp\TencentDownload\~f7611eb\QQPCDownload.dll

MD5 cc4af7e018bf913b1be001cf4472062e
SHA1 1646fc215b5198a90eecb6665b90949a8f3507ba
SHA256 06a7d3b03c5e1a52ccf1c94ed564ac3a6682afcf5aa06309c2f6dcb72de31b2f
SHA512 037e528f6d3becd2ac8cfa2563a4b8eebfb11468450e75d672be01d0fc36b45b8decc17309917ab672bfe871853076a84bd2438ee3421421d283547167fca843

memory/2320-11-0x0000000002060000-0x0000000002061000-memory.dmp

memory/2320-9-0x0000000003320000-0x0000000003331000-memory.dmp

\Users\Admin\AppData\Local\Temp\TencentDownload\~f7611eb\qmdr\dr.dll

MD5 4f53e6f3881ff3e1ee1cc0dc0561410f
SHA1 31388b4d64164eaa5b79ee30bf22840f6b5955a2
SHA256 967bfd76354486919fd252a8bcb3d787af495a0a58bfb8a216b3776cdc2dfc43
SHA512 a652d85e36143e45bafc105f7f385b1dfa25cc83d7bb1c2b167999ec95f4dd27fc43ea91e14abc26f78395a202159807dbfd85394b30061b64fea285aab64921

memory/2320-15-0x0000000002060000-0x0000000002061000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 23:49

Reported

2024-05-08 23:51

Platform

win10v2004-20240508-en

Max time kernel

115s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\274af13f898b0747a0549b340bb17ed1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.pc.qq.com udp
HK 43.135.106.184:80 c.pc.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
HK 43.135.106.184:443 c.pc.qq.com tcp
US 8.8.8.8:53 184.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e574c7a\QQPCDownload.dll

MD5 cc4af7e018bf913b1be001cf4472062e
SHA1 1646fc215b5198a90eecb6665b90949a8f3507ba
SHA256 06a7d3b03c5e1a52ccf1c94ed564ac3a6682afcf5aa06309c2f6dcb72de31b2f
SHA512 037e528f6d3becd2ac8cfa2563a4b8eebfb11468450e75d672be01d0fc36b45b8decc17309917ab672bfe871853076a84bd2438ee3421421d283547167fca843

memory/3544-8-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/3544-13-0x00000000028E0000-0x00000000028F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e574c7a\qmdr\dr.dll

MD5 4f53e6f3881ff3e1ee1cc0dc0561410f
SHA1 31388b4d64164eaa5b79ee30bf22840f6b5955a2
SHA256 967bfd76354486919fd252a8bcb3d787af495a0a58bfb8a216b3776cdc2dfc43
SHA512 a652d85e36143e45bafc105f7f385b1dfa25cc83d7bb1c2b167999ec95f4dd27fc43ea91e14abc26f78395a202159807dbfd85394b30061b64fea285aab64921

memory/3544-19-0x00000000028C0000-0x00000000028C1000-memory.dmp