Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-ncwsysvalc
Target 057d5457220867a868f1cbc95dfad748_JaffaCakes118
SHA256 88408e5254a63b19552d2b61b0f97ee41f03769bdd65a5168f6b37464214bd42
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

88408e5254a63b19552d2b61b0f97ee41f03769bdd65a5168f6b37464214bd42

Threat Level: Likely malicious

The file 057d5457220867a868f1cbc95dfad748_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Drops file in Drivers directory

Writes to the Master Boot Record (MBR)

Program crash

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:15

Reported

2024-06-20 11:18

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe"

Network

N/A

Files

memory/1248-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1248-1-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1248-6-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1248-2-0x0000000000290000-0x0000000000294000-memory.dmp

memory/1248-31-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/1248-58-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1248-57-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1248-56-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1248-55-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1248-53-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/1248-54-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1248-52-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1248-51-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1248-50-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1248-49-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1248-48-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1248-47-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1248-46-0x0000000002370000-0x0000000002371000-memory.dmp

memory/1248-45-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1248-44-0x0000000002350000-0x0000000002351000-memory.dmp

memory/1248-43-0x0000000002010000-0x0000000002011000-memory.dmp

memory/1248-42-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1248-41-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/1248-40-0x0000000002000000-0x0000000002001000-memory.dmp

memory/1248-39-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/1248-38-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/1248-37-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/1248-36-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/1248-35-0x0000000001F90000-0x0000000001F91000-memory.dmp

memory/1248-34-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/1248-33-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/1248-32-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/1248-30-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/1248-29-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/1248-28-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/1248-27-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/1248-26-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/1248-25-0x0000000000830000-0x0000000000831000-memory.dmp

memory/1248-24-0x0000000000840000-0x0000000000841000-memory.dmp

memory/1248-23-0x0000000000580000-0x0000000000581000-memory.dmp

memory/1248-22-0x0000000000820000-0x0000000000821000-memory.dmp

memory/1248-21-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1248-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1248-19-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1248-18-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1248-17-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1248-16-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1248-15-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1248-14-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1248-13-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1248-12-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1248-11-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1248-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1248-9-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1248-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1248-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1248-59-0x0000000002400000-0x0000000002401000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:15

Reported

2024-06-20 11:18

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\057d5457220867a868f1cbc95dfad748_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 472

Network

Files

memory/3184-1-0x0000000000620000-0x0000000000650000-memory.dmp

memory/3184-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3184-20-0x0000000002330000-0x0000000002331000-memory.dmp

memory/3184-31-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/3184-30-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/3184-29-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/3184-28-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/3184-27-0x0000000002380000-0x0000000002381000-memory.dmp

memory/3184-26-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3184-25-0x0000000002360000-0x0000000002361000-memory.dmp

memory/3184-53-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3184-52-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3184-51-0x0000000002510000-0x0000000002511000-memory.dmp

memory/3184-50-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3184-49-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/3184-48-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3184-47-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/3184-46-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/3184-45-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/3184-44-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/3184-43-0x0000000002480000-0x0000000002481000-memory.dmp

memory/3184-42-0x0000000002490000-0x0000000002491000-memory.dmp

memory/3184-41-0x0000000002460000-0x0000000002461000-memory.dmp

memory/3184-40-0x0000000002470000-0x0000000002471000-memory.dmp

memory/3184-39-0x0000000002440000-0x0000000002441000-memory.dmp

memory/3184-38-0x0000000002450000-0x0000000002451000-memory.dmp

memory/3184-37-0x0000000002420000-0x0000000002421000-memory.dmp

memory/3184-36-0x0000000002430000-0x0000000002431000-memory.dmp

memory/3184-35-0x0000000002400000-0x0000000002401000-memory.dmp

memory/3184-34-0x0000000002410000-0x0000000002411000-memory.dmp

memory/3184-33-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/3184-32-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/3184-24-0x0000000002370000-0x0000000002371000-memory.dmp

memory/3184-23-0x0000000002340000-0x0000000002341000-memory.dmp

memory/3184-22-0x0000000002350000-0x0000000002351000-memory.dmp

memory/3184-21-0x0000000002320000-0x0000000002321000-memory.dmp

memory/3184-19-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3184-18-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3184-17-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3184-16-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/3184-15-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/3184-14-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3184-13-0x0000000000700000-0x0000000000701000-memory.dmp

memory/3184-11-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/3184-10-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3184-9-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/3184-8-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/3184-7-0x0000000000670000-0x0000000000671000-memory.dmp

memory/3184-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/3184-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/3184-4-0x0000000000660000-0x0000000000661000-memory.dmp

memory/3184-3-0x0000000000600000-0x0000000000601000-memory.dmp

memory/3184-2-0x0000000000650000-0x0000000000654000-memory.dmp

memory/3184-12-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3184-54-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3184-55-0x0000000000620000-0x0000000000650000-memory.dmp