Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-qvblvavapp
Target 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118
SHA256 507dcbf1e05e027dd305018644ee3f8ff254f5e2f377f6d35556216f7276165f
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

507dcbf1e05e027dd305018644ee3f8ff254f5e2f377f6d35556216f7276165f

Threat Level: Likely malicious

The file 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:34

Reported

2024-06-20 13:37

Platform

win7-20231129-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\KsDQgAKT.dll C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\etc\KsDQgAKT.dll C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ÎÞÓïÖС£¡£¡£\Parameters\ServiceDLL = "%SystemRoot%\\system32\\drivers\\etc\\KsDQgAKT.dll" C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PH2WiD8w6P.ini C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\401087eaec0a044beea08790385a315f.del C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 ghmm.vicp.net udp
CN 116.21.113.188:8800 ghmm.vicp.net tcp
CN 116.21.113.188:8800 ghmm.vicp.net tcp
CN 116.21.113.188:8800 ghmm.vicp.net tcp
CN 116.21.113.188:8800 ghmm.vicp.net tcp
CN 116.21.113.188:8800 ghmm.vicp.net tcp

Files

\??\c:\windows\system32\drivers\etc\ksdqgakt.dll

MD5 ee139c2f3e9de095fb64cca3f28a2ff3
SHA1 bc00e013e2071d1ca0b79d1b0f51701745440526
SHA256 c7514c62cf49a666727fa4e36d102919ed22321cff5b12baeae8332b319ebf54
SHA512 abf2d5b52310eed2089841796cdafd4ef8b26d1e2c2c29874d7090967515fa45d3d0ebf1dc84f5059ac438dcecc9405eca49f6a388618f14192aad0fd10bd6df

memory/2736-7-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/1044-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\401087eaec0a044beea08790385a315f.del

MD5 edd34ec1323bd1962955ae9e10e17bf1
SHA1 2cc403bb131353904a5fda11cba35a2f97529fd9
SHA256 fbdbd4e62d22a7e05235b12e21f837a5e749da4b99dc051a343d691d81b03a90
SHA512 02696b2aed5e7e1df03fcbd246865b29b7100534f4577fe9ee281bd6be8b368887bec90c2fe429519e50878bb63a03067eefc94ba2b60d35e26cf8992afd649d

memory/2736-9-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-11-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-12-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-14-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-16-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-18-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-19-0x00000000002E0000-0x0000000000308000-memory.dmp

memory/2736-21-0x00000000002E0000-0x0000000000308000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:34

Reported

2024-06-20 13:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\jTGPZbvP.dll C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\jTGPZbvP.dll C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ÎÞÓïÖС£¡£¡£\Parameters\ServiceDLL = "%SystemRoot%\\system32\\drivers\\etc\\jTGPZbvP.dll" C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PH2WiD8w6P.ini C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\0f20dccb350d837fad038e2dbdfc53f4.del C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp
US 8.8.8.8:53 ghmm.vicp.net udp

Files

\??\c:\windows\system32\drivers\etc\jtgpzbvp.dll

MD5 ee139c2f3e9de095fb64cca3f28a2ff3
SHA1 bc00e013e2071d1ca0b79d1b0f51701745440526
SHA256 c7514c62cf49a666727fa4e36d102919ed22321cff5b12baeae8332b319ebf54
SHA512 abf2d5b52310eed2089841796cdafd4ef8b26d1e2c2c29874d7090967515fa45d3d0ebf1dc84f5059ac438dcecc9405eca49f6a388618f14192aad0fd10bd6df

memory/1360-5-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\0f20dccb350d837fad038e2dbdfc53f4.del

MD5 edd34ec1323bd1962955ae9e10e17bf1
SHA1 2cc403bb131353904a5fda11cba35a2f97529fd9
SHA256 fbdbd4e62d22a7e05235b12e21f837a5e749da4b99dc051a343d691d81b03a90
SHA512 02696b2aed5e7e1df03fcbd246865b29b7100534f4577fe9ee281bd6be8b368887bec90c2fe429519e50878bb63a03067eefc94ba2b60d35e26cf8992afd649d

memory/4572-8-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4572-10-0x0000000000400000-0x0000000000428000-memory.dmp