Malware Analysis Report

2025-08-05 12:51

Sample ID 240509-bme7qsab9w
Target 27998718b35cfe6f515dcc92ec781178_JaffaCakes118
SHA256 2ebe92d56e6106a47885d51553c5dcaed3064e9ebd04491857624c4d6f7d8c11
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2ebe92d56e6106a47885d51553c5dcaed3064e9ebd04491857624c4d6f7d8c11

Threat Level: Shows suspicious behavior

The file 27998718b35cfe6f515dcc92ec781178_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:17

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\使用说明.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\使用说明.url

Network

N/A

Files

memory/2012-0-0x0000000000170000-0x0000000000171000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:17

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\使用说明.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\使用说明.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:18

Platform

win7-20240419-en

Max time kernel

129s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\fgfgkhtk1.ini C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe

"C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hi.baidu.com udp
US 104.193.88.126:80 hi.baidu.com tcp
US 8.8.8.8:53 infoflow.baidu.com udp
US 104.193.88.125:443 infoflow.baidu.com tcp
US 8.8.8.8:53 www.877232894.com udp
US 8.8.8.8:53 xui.ptlogin2.qq.com udp
HK 129.226.103.162:80 xui.ptlogin2.qq.com tcp
HK 129.226.103.162:443 xui.ptlogin2.qq.com tcp

Files

memory/2280-0-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-1-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-73-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-74-0x0000000001F20000-0x0000000001F21000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:17

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\fgfgkhtk1.ini C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe

"C:\Users\Admin\AppData\Local\Temp\十二路QQ空间说说动态实时赞评论.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hi.baidu.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.193.88.125:80 hi.baidu.com tcp
US 8.8.8.8:53 infoflow.baidu.com udp
US 8.8.8.8:53 125.88.193.104.in-addr.arpa udp
US 104.193.88.126:443 infoflow.baidu.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 126.88.193.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.877232894.com udp
US 8.8.8.8:53 xui.ptlogin2.qq.com udp
HK 129.226.103.162:80 xui.ptlogin2.qq.com tcp
HK 129.226.103.162:443 xui.ptlogin2.qq.com tcp
US 8.8.8.8:53 162.103.226.129.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.877232894.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.877232894.com udp
US 8.8.8.8:53 www.877232894.com udp

Files

memory/4336-0-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-1-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4336-57-0x0000000010000000-0x000000001003E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:17

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\极速软件下载.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\极速软件下载.url

Network

N/A

Files

memory/1660-0-0x0000000000330000-0x0000000000331000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 01:15

Reported

2024-05-09 01:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\极速软件下载.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\极速软件下载.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A