Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-rng1qasapb
Target 06c47cf3df7f100abc63aa80d7425777_JaffaCakes118
SHA256 3eb2fc23eff1be3bbb9cab96a3997e31593b7bd5156a4900f97aaf003d480aea
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3eb2fc23eff1be3bbb9cab96a3997e31593b7bd5156a4900f97aaf003d480aea

Threat Level: Shows suspicious behavior

The file 06c47cf3df7f100abc63aa80d7425777_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:20

Reported

2024-06-20 14:22

Platform

win7-20240611-en

Max time kernel

123s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\od3mdi.dll C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\delplme.bat C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c delplme.bat

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000484719-memory.dmp

memory/2208-3-0x0000000000390000-0x00000000003DC000-memory.dmp

\Windows\SysWOW64\od3mdi.dll

MD5 c773ac834e266391eee3572c4b42653e
SHA1 877c3703cebddc93b132deffec253d6bbda8ab67
SHA256 17a821c460aed05adda03dbce52a0709bf06872a08335c3ac313e2be71de1d77
SHA512 491317a7861714c44e1d79633e0ac1473c275bf53e2c56752003aaf64be2b6b1590114eb26e763e62d64c32368fa4fba0dc3801669e8a11bcf2cfbf50eb8f313

C:\Windows\SysWOW64\delplme.bat

MD5 941d6a7a1c9fd4165f4126833d7690a4
SHA1 6bb19f9abd0c5b55eacf6f1bfd7fea9f0cda4fcd
SHA256 c96e2b757f17e0b02aaf18997027922dec881e995d37a12db91e4345978c8e6d
SHA512 4ee98b2dac5dc13cd80e7f7482c94f057562294d1d672ce535cb3eb5afbd900bcd1bcefb41f63b69c58df8905d28680f2818f9ebd136dab50f8b36950fe42174

memory/2208-12-0x0000000000400000-0x0000000000484719-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:20

Reported

2024-06-20 14:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\od3mdi.dll C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\delplme.bat C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delplme.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2920-0-0x0000000000400000-0x0000000000484719-memory.dmp

C:\Windows\SysWOW64\od3mdi.dll

MD5 c773ac834e266391eee3572c4b42653e
SHA1 877c3703cebddc93b132deffec253d6bbda8ab67
SHA256 17a821c460aed05adda03dbce52a0709bf06872a08335c3ac313e2be71de1d77
SHA512 491317a7861714c44e1d79633e0ac1473c275bf53e2c56752003aaf64be2b6b1590114eb26e763e62d64c32368fa4fba0dc3801669e8a11bcf2cfbf50eb8f313

memory/2920-5-0x0000000002B90000-0x0000000002BDC000-memory.dmp

C:\Windows\SysWOW64\delplme.bat

MD5 941d6a7a1c9fd4165f4126833d7690a4
SHA1 6bb19f9abd0c5b55eacf6f1bfd7fea9f0cda4fcd
SHA256 c96e2b757f17e0b02aaf18997027922dec881e995d37a12db91e4345978c8e6d
SHA512 4ee98b2dac5dc13cd80e7f7482c94f057562294d1d672ce535cb3eb5afbd900bcd1bcefb41f63b69c58df8905d28680f2818f9ebd136dab50f8b36950fe42174

memory/2920-10-0x0000000000400000-0x0000000000484719-memory.dmp