Malware Analysis Report

2024-09-23 10:30

Sample ID 240614-lebvfsvanc
Target a8f5fb2f8f9d470d839a66f97fac8993_JaffaCakes118
SHA256 5677454eb78a84614f74908647124a2694f72a39c557b5c51a48cdafff4a224f
Tags
evasion bootkit persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5677454eb78a84614f74908647124a2694f72a39c557b5c51a48cdafff4a224f

Threat Level: Likely malicious

The file a8f5fb2f8f9d470d839a66f97fac8993_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion bootkit persistence

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Identifies Wine through registry keys

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win7-20240221-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"

Network

N/A

Files

memory/2168-0-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-1-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-5-0x0000000000400000-0x0000000000DCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Save\default\setting.ini

MD5 63933b827725bd9e451297552f1c3098
SHA1 814995b11ca52023ad74365ac3c9aa2c3d5ddc43
SHA256 764db806f9822a960b6a6434041a931506ba2b764f7a19943c3263c54382e419
SHA512 e4aa379bb4e56796403316158a55a5d8f033b62bdfc7223ef9b27ddced207c59e179d538328e17eff7ffdccfb066dabcd63d69bf6ac588a83383afbf478ca2d1

memory/2168-8-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-13-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-18-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-21-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-26-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-31-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-34-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-39-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-42-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-47-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-50-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/2168-55-0x0000000000400000-0x0000000000DCD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4472-0-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-1-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-5-0x0000000000400000-0x0000000000DCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Save\default\setting.ini

MD5 63933b827725bd9e451297552f1c3098
SHA1 814995b11ca52023ad74365ac3c9aa2c3d5ddc43
SHA256 764db806f9822a960b6a6434041a931506ba2b764f7a19943c3263c54382e419
SHA512 e4aa379bb4e56796403316158a55a5d8f033b62bdfc7223ef9b27ddced207c59e179d538328e17eff7ffdccfb066dabcd63d69bf6ac588a83383afbf478ca2d1

memory/4472-8-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-13-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-18-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-21-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-26-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-31-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-34-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-39-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-42-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-47-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-52-0x0000000000400000-0x0000000000DCD000-memory.dmp

memory/4472-55-0x0000000000400000-0x0000000000DCD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win7-20240611-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"

Network

N/A

Files

memory/1244-0-0x0000000000400000-0x000000000092E000-memory.dmp

memory/1244-1-0x0000000077970000-0x0000000077972000-memory.dmp

memory/1244-2-0x0000000000401000-0x00000000004BA000-memory.dmp

memory/1244-3-0x0000000000400000-0x000000000092E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win7-20240508-en

Max time kernel

141s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 protector-market.net udp

Files

memory/2404-0-0x0000000074B30000-0x0000000074F81000-memory.dmp

memory/2404-1-0x0000000074B50000-0x0000000074FA1000-memory.dmp

memory/2404-3-0x0000000074B30000-0x0000000074F81000-memory.dmp

memory/2404-2-0x00000000746F0000-0x0000000074B41000-memory.dmp

memory/2404-6-0x0000000074B50000-0x0000000074FA1000-memory.dmp

memory/2404-7-0x00000000746F0000-0x0000000074B41000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:29

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5068 -ip 5068

Network

Country Destination Domain Proto
US 8.8.8.8:53 protector-market.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.22.237:443 g.bing.com tcp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 237.22.107.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 250.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/5068-0-0x0000000074690000-0x0000000074AE1000-memory.dmp

memory/5068-2-0x0000000074690000-0x0000000074AE1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:29

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"

Network

N/A

Files

memory/2404-0-0x0000000000400000-0x0000000001118000-memory.dmp

memory/2404-3-0x0000000000400000-0x0000000001118000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4384-0-0x0000000000400000-0x0000000001118000-memory.dmp

memory/4384-2-0x0000000000400000-0x0000000001118000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 09:26

Reported

2024-06-14 09:28

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe

"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3204-0-0x0000000000400000-0x000000000092E000-memory.dmp

memory/3204-1-0x0000000077814000-0x0000000077816000-memory.dmp

memory/3204-2-0x0000000000401000-0x00000000004BA000-memory.dmp

memory/3204-3-0x0000000000400000-0x000000000092E000-memory.dmp