Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-h3b9caca28
Target 74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118
SHA256 224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703

Threat Level: Shows suspicious behavior

The file 74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Drops startup file

Unexpected DNS network traffic destination

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 07:15

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 07:15

Reported

2024-05-26 07:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\userinit.lnk C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 peaceful.linkpc.net udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 peaceful.linkpc.net udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 07:15

Reported

2024-05-26 07:17

Platform

win7-20240221-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\userinit.lnk C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A
Destination IP 139.99.66.103 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 peaceful.linkpc.net udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
SG 139.99.66.103:53 peaceful.linkpc.net tcp
US 8.8.8.8:53 peaceful.linkpc.net udp
SG 139.99.66.103:53 peaceful.linkpc.net tcp

Files

\Users\Admin\AppData\Local\Temp\userinit.exe

MD5 74b544a2dba07ac124285e2ff8a330e5
SHA1 e687f1b15e3b180f44aeaa804a7476b32b765317
SHA256 224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703
SHA512 d5442314ed655b0a4ce3891b6559bc7ff37db8d26c5c98778538ab7999cff953c195bb080d9dd4f39356ad624120b1d98a75ff081d4393f8d027f64900fb7dcf