Malware Analysis Report

2025-01-03 09:27

Sample ID 240604-xkvqasgb6w
Target 95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118
SHA256 98e1e327e318b397d4517bca0a3d77ed0be6a59fd077bd6dc3223ae03236c0ff
Tags
bootkit evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

98e1e327e318b397d4517bca0a3d77ed0be6a59fd077bd6dc3223ae03236c0ff

Threat Level: Likely malicious

The file 95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 18:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 18:55

Reported

2024-06-04 18:58

Platform

win7-20240215-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 diagcode.com udp
DE 167.86.97.200:443 diagcode.com tcp

Files

memory/2836-1-0x000000007695E000-0x000000007695F000-memory.dmp

memory/2836-0-0x00000000010E0000-0x0000000002088000-memory.dmp

memory/2836-7-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-6-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-5-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-4-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-3-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-2-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-8-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-9-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-15-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-16-0x00000000010E0000-0x0000000002088000-memory.dmp

memory/2836-17-0x00000000010E0000-0x0000000002088000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\diagcode.dll

MD5 79a02ba612f40388cdd1fff88089c922
SHA1 a786ba0669458dc0542fc9b93f09b4bcbf85d045
SHA256 43c0b420e78e01fa576b5209794be289f895cc7050206129dd653697c826a76e
SHA512 087b05f73e40b19386cc559bd3a86c6b0e0c73d1efbc1199ef6c1095a4180f0cc8fa3161279876f8588d6ab2b270b6aebe58751e8554fc5083817c98dbafb900

\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\ftchipid.dll

MD5 db2e9f3c2f704cd41bdbfcfb47b81108
SHA1 49e9192aefee6080c3795a8df592425e6351f56c
SHA256 d63d9ec2f0557184aba3d4156d755767cd234fc4b108f4209abbf28c064936c6
SHA512 203df4ab2c065923f6ae3f101d8046f300506e77c74a4864eaceca47e427928ab31da37374794efd24b475e8cca4abba8baed768860715076f2a708c2c7c9493

\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\sense4.dll

MD5 2cc4f1fa5b4a50a0fadc732678db94dc
SHA1 696f39720b09d030403f751cd6f3de3fdd7df29a
SHA256 5be725eace8521c03b2167c4a27ae78cec9b838478bc4342e90afc47be3c6876
SHA512 57fbbdd8c282ce396af5db58669d6bb2e5d5e0313175f1dd4441cc82d0a194e2564db3a8eb44b50abc54f1e221daa9826e77d22ae16ae1b56279f44eac907b34

memory/2836-28-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-29-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2836-30-0x0000000001050000-0x0000000001078000-memory.dmp

memory/2836-31-0x0000000003570000-0x0000000003586000-memory.dmp

memory/2836-32-0x00000000071C0000-0x000000000750A000-memory.dmp

memory/2836-33-0x0000000003BB0000-0x0000000003BF6000-memory.dmp

memory/2836-36-0x0000000003DD0000-0x0000000003DFA000-memory.dmp

memory/2836-35-0x0000000003C10000-0x0000000003C26000-memory.dmp

memory/2836-37-0x0000000003E00000-0x0000000003E08000-memory.dmp

memory/2836-38-0x0000000006210000-0x0000000006286000-memory.dmp

memory/2836-34-0x0000000003C00000-0x0000000003C08000-memory.dmp

memory/2836-39-0x00000000060C0000-0x00000000060C8000-memory.dmp

memory/2836-40-0x00000000060E0000-0x0000000006108000-memory.dmp

memory/2836-42-0x00000000062B0000-0x00000000062BA000-memory.dmp

memory/2836-41-0x00000000078D0000-0x0000000007B1A000-memory.dmp

memory/2836-43-0x00000000062D0000-0x00000000062DA000-memory.dmp

memory/2836-45-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-44-0x00000000010E0000-0x0000000002088000-memory.dmp

memory/2836-46-0x0000000006FA0000-0x0000000006FB6000-memory.dmp

memory/2836-47-0x00000000075F0000-0x000000000765C000-memory.dmp

memory/2836-48-0x0000000076950000-0x0000000076997000-memory.dmp

memory/2836-49-0x00000000062D0000-0x00000000062DA000-memory.dmp

memory/2836-51-0x0000000076950000-0x0000000076997000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 18:55

Reported

2024-06-04 18:58

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe = "11001" C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95eb1bc0e7190ad44a12d6532a3b43af_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 diagcode.com udp
DE 167.86.97.200:443 diagcode.com tcp
US 8.8.8.8:53 200.97.86.167.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/1836-0-0x0000000000170000-0x0000000001118000-memory.dmp

memory/1836-7-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-6-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-5-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-4-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-3-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-2-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-1-0x00000000760D0000-0x00000000760D1000-memory.dmp

memory/1836-12-0x0000000000170000-0x0000000001118000-memory.dmp

memory/1836-13-0x0000000000170000-0x0000000001118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\diagcode.dll

MD5 79a02ba612f40388cdd1fff88089c922
SHA1 a786ba0669458dc0542fc9b93f09b4bcbf85d045
SHA256 43c0b420e78e01fa576b5209794be289f895cc7050206129dd653697c826a76e
SHA512 087b05f73e40b19386cc559bd3a86c6b0e0c73d1efbc1199ef6c1095a4180f0cc8fa3161279876f8588d6ab2b270b6aebe58751e8554fc5083817c98dbafb900

C:\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\ftchipid.dll

MD5 db2e9f3c2f704cd41bdbfcfb47b81108
SHA1 49e9192aefee6080c3795a8df592425e6351f56c
SHA256 d63d9ec2f0557184aba3d4156d755767cd234fc4b108f4209abbf28c064936c6
SHA512 203df4ab2c065923f6ae3f101d8046f300506e77c74a4864eaceca47e427928ab31da37374794efd24b475e8cca4abba8baed768860715076f2a708c2c7c9493

C:\Users\Admin\AppData\Local\Temp\Costura\B4E6149F9DF2675E948A226726FC1F86\32\sense4.dll

MD5 2cc4f1fa5b4a50a0fadc732678db94dc
SHA1 696f39720b09d030403f751cd6f3de3fdd7df29a
SHA256 5be725eace8521c03b2167c4a27ae78cec9b838478bc4342e90afc47be3c6876
SHA512 57fbbdd8c282ce396af5db58669d6bb2e5d5e0313175f1dd4441cc82d0a194e2564db3a8eb44b50abc54f1e221daa9826e77d22ae16ae1b56279f44eac907b34

memory/1836-26-0x0000000007670000-0x000000000767C000-memory.dmp

memory/1836-27-0x0000000007680000-0x00000000076A8000-memory.dmp

memory/1836-28-0x00000000076B0000-0x00000000076C6000-memory.dmp

memory/1836-29-0x0000000007940000-0x0000000007C8A000-memory.dmp

memory/1836-30-0x0000000007EB0000-0x0000000007EF6000-memory.dmp

memory/1836-31-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

memory/1836-32-0x0000000008000000-0x00000000080BA000-memory.dmp

memory/1836-33-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/1836-34-0x0000000007DD0000-0x0000000007DE6000-memory.dmp

memory/1836-35-0x0000000007E50000-0x0000000007E7A000-memory.dmp

memory/1836-36-0x0000000007E80000-0x0000000007E88000-memory.dmp

memory/1836-37-0x00000000081C0000-0x0000000008236000-memory.dmp

memory/1836-38-0x0000000008260000-0x0000000008268000-memory.dmp

memory/1836-39-0x0000000008390000-0x00000000083B8000-memory.dmp

memory/1836-40-0x0000000008610000-0x000000000885A000-memory.dmp

memory/1836-41-0x00000000083D0000-0x00000000083DA000-memory.dmp

memory/1836-47-0x000000000BE40000-0x000000000BE78000-memory.dmp

memory/1836-48-0x000000000BE10000-0x000000000BE1E000-memory.dmp

memory/1836-49-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-50-0x000000000B5A0000-0x000000000B5B6000-memory.dmp

memory/1836-51-0x000000000C3C0000-0x000000000C42C000-memory.dmp

memory/1836-52-0x000000000DDD0000-0x000000000DE62000-memory.dmp

memory/1836-53-0x000000000E420000-0x000000000E9C4000-memory.dmp

memory/1836-59-0x000000000EA80000-0x000000000EA8A000-memory.dmp

memory/1836-61-0x0000000000170000-0x0000000001118000-memory.dmp

memory/1836-62-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-63-0x00000000760D0000-0x00000000760D1000-memory.dmp

memory/1836-65-0x00000000760B0000-0x00000000761A0000-memory.dmp

memory/1836-67-0x00000000760B0000-0x00000000761A0000-memory.dmp