Malware Analysis Report

2025-01-03 09:24

Sample ID 240620-r18n7sxapp
Target 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118
SHA256 3f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec

Threat Level: Shows suspicious behavior

The file 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:40

Reported

2024-06-20 14:43

Platform

win7-20240508-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\EntSver.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\EntSver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\EntSver.exe C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
File opened for modification C:\Windows\EntSver.exe C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
File created C:\Windows\GUOCYOKl.BAT C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\EntSver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\EntSver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"

C:\Windows\EntSver.exe

C:\Windows\EntSver.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\GUOCYOKl.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 qq14633687.3322.org udp
US 8.8.8.8:53 qq14633687.3322.org udp
US 8.8.8.8:53 qq14633687.3322.org udp

Files

memory/2960-0-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/2960-3-0x0000000000550000-0x0000000000593000-memory.dmp

memory/2960-49-0x0000000002600000-0x0000000002601000-memory.dmp

memory/2960-48-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2960-47-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2960-46-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2960-45-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/2960-44-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2960-43-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2960-42-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2960-41-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2960-40-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2960-39-0x0000000002590000-0x0000000002591000-memory.dmp

memory/2960-38-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2960-37-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2960-36-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2960-35-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2960-34-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2960-33-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2960-32-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2960-31-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2960-30-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2960-29-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2960-28-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/2960-27-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2960-26-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2960-25-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2960-24-0x0000000002380000-0x0000000002381000-memory.dmp

memory/2960-23-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2960-22-0x0000000002360000-0x0000000002361000-memory.dmp

memory/2960-21-0x0000000002370000-0x0000000002371000-memory.dmp

memory/2960-20-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2960-19-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2960-18-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2960-17-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2960-16-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2960-15-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2960-14-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2960-13-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2960-12-0x0000000002280000-0x0000000002281000-memory.dmp

memory/2960-11-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/2960-10-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/2960-9-0x00000000022B0000-0x00000000022B3000-memory.dmp

memory/2960-8-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2960-7-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2960-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2960-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2960-4-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2960-50-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2960-57-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2960-56-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2960-55-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2960-54-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2960-53-0x0000000002650000-0x0000000002651000-memory.dmp

memory/2960-52-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2960-51-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2960-58-0x0000000002700000-0x0000000002701000-memory.dmp

memory/2960-87-0x00000000036E0000-0x00000000036E1000-memory.dmp

memory/2960-86-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/2960-85-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2960-84-0x0000000003680000-0x0000000003681000-memory.dmp

memory/2960-83-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/2960-82-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2960-81-0x0000000003690000-0x0000000003691000-memory.dmp

memory/2960-80-0x0000000003670000-0x0000000003671000-memory.dmp

memory/2960-79-0x0000000003650000-0x0000000003651000-memory.dmp

memory/2960-78-0x0000000003660000-0x0000000003661000-memory.dmp

memory/2960-77-0x0000000003630000-0x0000000003631000-memory.dmp

memory/2960-76-0x0000000003640000-0x0000000003641000-memory.dmp

memory/2960-75-0x0000000003610000-0x0000000003611000-memory.dmp

memory/2960-74-0x0000000003620000-0x0000000003621000-memory.dmp

memory/2960-73-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/2960-72-0x0000000003600000-0x0000000003601000-memory.dmp

memory/2960-71-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/2960-70-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/2960-69-0x0000000002770000-0x0000000002771000-memory.dmp

memory/2960-68-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/2960-67-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2960-66-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2960-65-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2960-64-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2960-63-0x0000000002710000-0x0000000002711000-memory.dmp

memory/2960-61-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2960-60-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/2960-89-0x00000000036F0000-0x00000000036F1000-memory.dmp

memory/2960-88-0x0000000003700000-0x0000000003701000-memory.dmp

C:\Windows\EntSver.exe

MD5 06ead5ba61da4779f2c285c0c4579e68
SHA1 4571178883a3beb7a674a5c6bb12a1740f63fac2
SHA256 3f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec
SHA512 638e72ea0be633a5c8a0e71caf17d3f1ce33341ec71245048f07f4327a085046884b78dc2091768fe7d45c5fba1c0f7d01bab21194e5a98ef554673c0e9ccf41

memory/2960-96-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/2580-95-0x00000000002C0000-0x0000000000303000-memory.dmp

memory/2580-94-0x0000000000400000-0x00000000004F5000-memory.dmp

C:\Windows\GUOCYOKl.BAT

MD5 1e58d2fefe538e105345e1ce200cf552
SHA1 bbde7f2f77ceb8dcca70b1a1812960e22787b5f2
SHA256 2d53fc0097a445256bdd29834c56413217adf235fc994f1ad89619b43c0da342
SHA512 35fb8fc538be3d99bc9e13071aa9969cadb9bea0174270a3390f98a48526ef5d8affeccb4cb210e14493d39f39e3319a673168963db72c52b31a2b0cd9d95958

memory/2960-104-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/2960-105-0x0000000000550000-0x0000000000593000-memory.dmp

memory/2580-107-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/2580-109-0x00000000002C0000-0x0000000000303000-memory.dmp

memory/2580-108-0x0000000000400000-0x00000000004F5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:40

Reported

2024-06-20 14:43

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\EntSver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\EntSver.exe C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
File opened for modification C:\Windows\EntSver.exe C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
File created C:\Windows\GUOCYOKl.BAT C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\EntSver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\EntSver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"

C:\Windows\EntSver.exe

C:\Windows\EntSver.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 qq14633687.3322.org udp
US 8.8.8.8:53 qq14633687.3322.org udp
US 8.8.8.8:53 qq14633687.3322.org udp
US 8.8.8.8:53 qq14633687.3322.org udp

Files

memory/1048-0-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/1048-3-0x00000000022D0000-0x0000000002313000-memory.dmp

memory/1048-6-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1048-5-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1048-4-0x0000000002480000-0x0000000002481000-memory.dmp

memory/1048-7-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1048-18-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1048-17-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1048-16-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1048-15-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1048-14-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1048-13-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1048-12-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/1048-28-0x0000000002600000-0x0000000002601000-memory.dmp

memory/1048-27-0x0000000002610000-0x0000000002611000-memory.dmp

memory/1048-26-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1048-25-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1048-24-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1048-29-0x0000000002630000-0x0000000002631000-memory.dmp

memory/1048-41-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1048-40-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/1048-39-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/1048-38-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/1048-37-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/1048-36-0x0000000002780000-0x0000000002781000-memory.dmp

memory/1048-35-0x0000000002790000-0x0000000002791000-memory.dmp

memory/1048-42-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/1048-48-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1048-87-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/1048-86-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/1048-85-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/1048-84-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/1048-83-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/1048-82-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1048-81-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/1048-80-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/1048-79-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/1048-78-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1048-77-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/1048-76-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/1048-75-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1048-74-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/1048-73-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/1048-70-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1048-69-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/1048-68-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/1048-67-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1048-66-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1048-65-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1048-64-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/1048-63-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1048-62-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/1048-61-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/1048-60-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/1048-59-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/1048-58-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/1048-57-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1048-56-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1048-55-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/1048-54-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1048-53-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1048-52-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1048-51-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1048-50-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1048-49-0x0000000002980000-0x0000000002981000-memory.dmp

memory/1048-47-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1048-46-0x0000000002960000-0x0000000002961000-memory.dmp

memory/1048-45-0x0000000002970000-0x0000000002971000-memory.dmp

memory/1048-44-0x0000000002810000-0x0000000002811000-memory.dmp

memory/1048-43-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1048-34-0x0000000002760000-0x0000000002761000-memory.dmp

memory/1048-33-0x0000000002770000-0x0000000002771000-memory.dmp

memory/1048-32-0x0000000002640000-0x0000000002641000-memory.dmp

memory/1048-31-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1048-30-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1048-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1048-22-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1048-21-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1048-20-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1048-19-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1048-11-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1048-9-0x00000000024F0000-0x00000000024F3000-memory.dmp

memory/1048-10-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1048-8-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/1048-89-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/1048-88-0x0000000002F50000-0x0000000002F51000-memory.dmp

C:\Windows\EntSver.exe

MD5 06ead5ba61da4779f2c285c0c4579e68
SHA1 4571178883a3beb7a674a5c6bb12a1740f63fac2
SHA256 3f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec
SHA512 638e72ea0be633a5c8a0e71caf17d3f1ce33341ec71245048f07f4327a085046884b78dc2091768fe7d45c5fba1c0f7d01bab21194e5a98ef554673c0e9ccf41

memory/3256-95-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/1048-93-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/3256-96-0x0000000000E70000-0x0000000000EB3000-memory.dmp

memory/1048-97-0x00000000022D0000-0x0000000002313000-memory.dmp

memory/1048-101-0x00000000022D0000-0x0000000002313000-memory.dmp

memory/1048-100-0x0000000000400000-0x00000000004F5000-memory.dmp

C:\Windows\GUOCYOKl.BAT

MD5 1e58d2fefe538e105345e1ce200cf552
SHA1 bbde7f2f77ceb8dcca70b1a1812960e22787b5f2
SHA256 2d53fc0097a445256bdd29834c56413217adf235fc994f1ad89619b43c0da342
SHA512 35fb8fc538be3d99bc9e13071aa9969cadb9bea0174270a3390f98a48526ef5d8affeccb4cb210e14493d39f39e3319a673168963db72c52b31a2b0cd9d95958

memory/3256-103-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/3256-104-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/3256-106-0x0000000000E70000-0x0000000000EB3000-memory.dmp