Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-mngbzaxarn
Target 053290e2a4476779170a90a11349f9fe_JaffaCakes118
SHA256 c00a29ebd40890dbd219df31d5ef5324da75bdf4872d7fdba4a5e6f638b8e728
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c00a29ebd40890dbd219df31d5ef5324da75bdf4872d7fdba4a5e6f638b8e728

Threat Level: Shows suspicious behavior

The file 053290e2a4476779170a90a11349f9fe_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:36

Reported

2024-06-20 10:39

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue.com udp
GB 158.120.18.52:80 secure.logmeinrescue.com tcp

Files

\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe

MD5 a086a7a87ced79b9af0e15d62485c6b0
SHA1 42af19c4ab5bf8deff5015236548011a4bfe31f4
SHA256 99cddb86f0bd920b4c93de26c607e15e53fcb5705d6912d0ae1892220c5d1cff
SHA512 bb014b638cca6367bcf0a84394b6dbaa384ee7f2e101794643ab7513658c6cbf7d21707d872221e970c7857c2a50db6e16c7a725bcf43f7e132078c85bfdc350

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\params.txt

MD5 d85ad81c7fe426efe00391d69bfc53b4
SHA1 f92fd769b9802fa4dcbb453592e633702ad1c32e
SHA256 5a121c31385352929709a14c2275cbdc4d6f813d2dabc96cd4bfaa31a2b1732b
SHA512 ada67526d2c8f2d4a0856fc6d02c688aaf015cde468a80b60afcc3dccf5a6279265e9a227b10af7345fd1ec4392d7a922e18c2e6a2cb44db5a86de590340827e

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\rahook.dll

MD5 70dd1cf3e935527a93b17ad5196fa70d
SHA1 799c67e1d55678794c2a9e3d056b0d9f5d522fb0
SHA256 9876ebe0a4d1af74e117b6bf849140e3770b62f33de5274f72225cd51b3975e4
SHA512 a7899fa9faa979d02a1bb89b5bd2def97b6f69fdb0dad692ceaa536496e3032f74a86c17af1cfb48d26ba1ac75e1a7b2295be363cce04fd453dee9b1fdc28e01

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\rescue.ico

MD5 51fa8f4746f1a481c5ea25931e99ed77
SHA1 76a78677e527a0564533d90ed16fe5d7da8102e2
SHA256 ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7
SHA512 c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

memory/2692-27-0x0000000000C70000-0x0000000000C71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\logo.bmp

MD5 4925bc92dac27cf1f12c26cf72002820
SHA1 14d36e8eb66ce3704cf347657adac7fc460178a6
SHA256 af1d81679b00a6c34b9c95d6919fa70d6d6d8ad2e6df3a466a6cff2a0cba6fc6
SHA512 d119d557afce5f5117877f404e3ed32d451148bfac03f46296c70b0f34eff7a55724555f9b1edd76d202b43eafcc74568ffdedd6e60cef07491d7afb603a19c9

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\eula.txt

MD5 5d65e6c554def6496e3145de5d8e7db5
SHA1 3a7c852b510f54a81a218ffaa496d8c7c692f8cd
SHA256 39410cf3c4633b3d17d07c7753b0d0e5100d858ecd67dd562f3a0b7c015ecfcd
SHA512 a8d38ed0088dfcc592e4d5758d7e500b3871bd516b06303f21f0f017eb8e9c3dfd9de6b0d099373ad8cc7d28ae2a6b76d08870c69dea76f1138fc945b580d40b

memory/2692-39-0x0000000000C70000-0x0000000000C71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:36

Reported

2024-06-20 10:39

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053290e2a4476779170a90a11349f9fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue.com udp
US 52.111.229.43:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe

MD5 a086a7a87ced79b9af0e15d62485c6b0
SHA1 42af19c4ab5bf8deff5015236548011a4bfe31f4
SHA256 99cddb86f0bd920b4c93de26c607e15e53fcb5705d6912d0ae1892220c5d1cff
SHA512 bb014b638cca6367bcf0a84394b6dbaa384ee7f2e101794643ab7513658c6cbf7d21707d872221e970c7857c2a50db6e16c7a725bcf43f7e132078c85bfdc350

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\params.txt

MD5 d85ad81c7fe426efe00391d69bfc53b4
SHA1 f92fd769b9802fa4dcbb453592e633702ad1c32e
SHA256 5a121c31385352929709a14c2275cbdc4d6f813d2dabc96cd4bfaa31a2b1732b
SHA512 ada67526d2c8f2d4a0856fc6d02c688aaf015cde468a80b60afcc3dccf5a6279265e9a227b10af7345fd1ec4392d7a922e18c2e6a2cb44db5a86de590340827e

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\rahook.dll

MD5 70dd1cf3e935527a93b17ad5196fa70d
SHA1 799c67e1d55678794c2a9e3d056b0d9f5d522fb0
SHA256 9876ebe0a4d1af74e117b6bf849140e3770b62f33de5274f72225cd51b3975e4
SHA512 a7899fa9faa979d02a1bb89b5bd2def97b6f69fdb0dad692ceaa536496e3032f74a86c17af1cfb48d26ba1ac75e1a7b2295be363cce04fd453dee9b1fdc28e01

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\rescue.ico

MD5 51fa8f4746f1a481c5ea25931e99ed77
SHA1 76a78677e527a0564533d90ed16fe5d7da8102e2
SHA256 ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7
SHA512 c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

memory/3964-29-0x0000000003550000-0x0000000003551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\logo.bmp

MD5 4925bc92dac27cf1f12c26cf72002820
SHA1 14d36e8eb66ce3704cf347657adac7fc460178a6
SHA256 af1d81679b00a6c34b9c95d6919fa70d6d6d8ad2e6df3a466a6cff2a0cba6fc6
SHA512 d119d557afce5f5117877f404e3ed32d451148bfac03f46296c70b0f34eff7a55724555f9b1edd76d202b43eafcc74568ffdedd6e60cef07491d7afb603a19c9

C:\Users\Admin\AppData\Local\Temp\LMIR0001.tmp\eula.txt

MD5 5d65e6c554def6496e3145de5d8e7db5
SHA1 3a7c852b510f54a81a218ffaa496d8c7c692f8cd
SHA256 39410cf3c4633b3d17d07c7753b0d0e5100d858ecd67dd562f3a0b7c015ecfcd
SHA512 a8d38ed0088dfcc592e4d5758d7e500b3871bd516b06303f21f0f017eb8e9c3dfd9de6b0d099373ad8cc7d28ae2a6b76d08870c69dea76f1138fc945b580d40b

memory/3964-38-0x0000000003550000-0x0000000003551000-memory.dmp