Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-naernathkh
Target 05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118
SHA256 8bf27f7fef888a9a66d13de729f3ad30419602ae1f1ecdbb0c3aa67fe7c9a525
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8bf27f7fef888a9a66d13de729f3ad30419602ae1f1ecdbb0c3aa67fe7c9a525

Threat Level: Shows suspicious behavior

The file 05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:11

Reported

2024-06-20 11:13

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:11

Reported

2024-06-20 11:13

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\DtcInstall.log N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\DtcInstall.log N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\DtcInstall.log
PID 2240 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"

C:\Windows\DtcInstall.log

C:\Windows\DtcInstall.log

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\Temp\red1.bat

Network

N/A

Files

memory/2240-2-0x0000000000470000-0x00000000004DE000-memory.dmp

C:\Windows\DtcInstall.log

MD5 ab62232e4a6bfbe78ee7e2034ca5b103
SHA1 426a0e9149a6a9b8fa5a85aa2328d16ca717cfc4
SHA256 60be6d417c86b06b6ee3bcf46fd4b851f3abff454064b8bec6d22bf4881b0896
SHA512 b756d2cb99e7c111c59986d69f07c0c3df7fe481f75f17b36e1ee52ccf137d28cc6411808be1d31dabd45054205dcb9b34b410d1776b553048f808c88bfe0e0a

memory/1564-13-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Windows\Temp\red1.bat

MD5 1084c776c10d0d79c5656843a849921d
SHA1 eb939e468299ed0e124e49042e75cb5f01bd146f
SHA256 a32c88128b9515e44645c838c3756c78bdc855f34808656134cb1714d8fc5460
SHA512 33e75bb5577042b2e21fadf1332a6e47cc54a69217a75116f5c272d5990f271476e27b71492271b2d14c21c1901da86a73e51a7c1303d684081c759e282a7433

memory/1564-14-0x000000000044B000-0x000000000044C000-memory.dmp

memory/1564-16-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1564-19-0x0000000000740000-0x0000000000743000-memory.dmp

memory/1564-18-0x0000000000400000-0x000000000046E000-memory.dmp