Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-madzpasbmg
Target 0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118
SHA256 872790e1fe9c9deacafb4d2342aef60d7d16843fdc3e5f027584b09e0ba21307
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

872790e1fe9c9deacafb4d2342aef60d7d16843fdc3e5f027584b09e0ba21307

Threat Level: Shows suspicious behavior

The file 0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:15

Reported

2024-06-20 10:17

Platform

win7-20240508-en

Max time kernel

142s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A
N/A N/A C:\Windows\GHFHGJHNSSJDW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\GHFHGJHNSSJDW.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GHFHGJHNSSJDW.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A
File opened for modification C:\Windows\GHFHGJHNSSJDW.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A
File created C:\Windows\HKFX2008.BAT C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\GHFHGJHNSSJDW.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\GHFHGJHNSSJDW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

C:\Windows\GHFHGJHNSSJDW.exe

C:\Windows\GHFHGJHNSSJDW.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\HKFX2008.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 fenseda.3322.org udp

Files

memory/2120-0-0x0000000001000000-0x0000000001156000-memory.dmp

memory/2120-1-0x0000000000290000-0x00000000002E4000-memory.dmp

memory/2120-9-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-8-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2120-7-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2120-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2120-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2120-4-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2120-20-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-49-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-48-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-47-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-46-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-45-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-44-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-43-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-42-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-41-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2120-40-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/2120-39-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2120-38-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/2120-37-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2120-36-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2120-35-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-34-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2120-33-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2120-32-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2120-31-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2120-30-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2120-29-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2120-28-0x0000000000660000-0x0000000000661000-memory.dmp

memory/2120-27-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2120-26-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2120-25-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-24-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-23-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-22-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/2120-21-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-19-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-18-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-17-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-15-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-14-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-13-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-12-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-11-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/2120-10-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2120-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2120-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2120-50-0x00000000031B0000-0x00000000031B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

MD5 fbb39bc439ab98c2b7cb3f08539cbf5b
SHA1 b1c8339d59cee39469d378e22da31d1dea39df30
SHA256 580114c47f0421b0d69d384d9aed8ca199d59298d041572a9b84e516c5231a84
SHA512 94902ffd0320021257fe2e9e9186b6610e82455af94ff9d8d84c3b37b7e4eafe555be1d881a37d9f3163360afd89e95d38faa3a16efb114804d24d89a7a6dffe

memory/2624-62-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2120-60-0x0000000004000000-0x00000000040E4000-memory.dmp

memory/2120-59-0x0000000004000000-0x00000000040E4000-memory.dmp

C:\Windows\HKFX2008.BAT

MD5 64af92b66bd28b11b9b93ae2cc36f1d9
SHA1 ae72261f0ed678ff0160a9ecd66fa47ec42e5fb7
SHA256 b5eec4c04e5a69382b0a8483de817cb8477a89cc53b8e83c361183dfd312696c
SHA512 6e5c8404142c3119d4148932ea87119518c611ab91d49decb814258b1fa5abe8bdb2b2ac2c24760aa76b49db02ee7496bcd55580b20da1b33750d1b771771129

memory/2624-74-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2120-75-0x0000000001000000-0x0000000001156000-memory.dmp

memory/2120-76-0x0000000000290000-0x00000000002E4000-memory.dmp

memory/2772-78-0x0000000000400000-0x00000000004E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:15

Reported

2024-06-20 10:17

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0510818d636706ef1cbc8f3b0a7a4bfd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 260

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 107.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/452-0-0x0000000001000000-0x0000000001156000-memory.dmp

memory/452-1-0x00000000004E0000-0x0000000000534000-memory.dmp

memory/452-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/452-51-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-81-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-80-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-79-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-78-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-77-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-76-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-75-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-74-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-73-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-72-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-71-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-82-0x0000000003150000-0x000000000316B000-memory.dmp

memory/452-70-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-69-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-68-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-67-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-66-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-65-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-64-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-63-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-62-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-61-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-60-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-59-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-58-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-57-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-56-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-55-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-54-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-53-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-52-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-50-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-49-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-48-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-47-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-46-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-45-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-44-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-43-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/452-42-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/452-41-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/452-40-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/452-39-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/452-38-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-37-0x0000000000680000-0x0000000000681000-memory.dmp

memory/452-36-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/452-35-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/452-34-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/452-33-0x0000000000660000-0x0000000000661000-memory.dmp

memory/452-32-0x0000000000670000-0x0000000000671000-memory.dmp

memory/452-31-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/452-30-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/452-29-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/452-28-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-27-0x0000000003150000-0x0000000003151000-memory.dmp

memory/452-26-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-25-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-24-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-23-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-22-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-21-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-20-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-19-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-18-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-17-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-16-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-15-0x0000000000640000-0x0000000000641000-memory.dmp

memory/452-14-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-13-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-12-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-11-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-10-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-9-0x0000000003160000-0x0000000003161000-memory.dmp

memory/452-8-0x0000000000610000-0x0000000000611000-memory.dmp

memory/452-7-0x0000000000620000-0x0000000000621000-memory.dmp

memory/452-6-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/452-5-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/452-4-0x0000000000630000-0x0000000000631000-memory.dmp

memory/452-2-0x0000000000600000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

MD5 fbb39bc439ab98c2b7cb3f08539cbf5b
SHA1 b1c8339d59cee39469d378e22da31d1dea39df30
SHA256 580114c47f0421b0d69d384d9aed8ca199d59298d041572a9b84e516c5231a84
SHA512 94902ffd0320021257fe2e9e9186b6610e82455af94ff9d8d84c3b37b7e4eafe555be1d881a37d9f3163360afd89e95d38faa3a16efb114804d24d89a7a6dffe

memory/3820-88-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/3820-90-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/452-92-0x00000000004E0000-0x0000000000534000-memory.dmp

memory/452-91-0x0000000001000000-0x0000000001156000-memory.dmp