Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-rqzcsasbnh
Target 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118
SHA256 4778db65938e7531e308dd893851c71db03dcca57858d14156d4ceaa2c11b39e
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4778db65938e7531e308dd893851c71db03dcca57858d14156d4ceaa2c11b39e

Threat Level: Shows suspicious behavior

The file 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Modifies WinLogon

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:24

Reported

2024-06-20 14:27

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fsmgmt.dll C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3068-1-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/3068-2-0x0000000000250000-0x0000000000252000-memory.dmp

memory/3068-10-0x0000000000430000-0x0000000000431000-memory.dmp

memory/3068-9-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3068-8-0x0000000000450000-0x0000000000451000-memory.dmp

memory/3068-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3068-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3068-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3068-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1196-11-0x0000000002530000-0x0000000002531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat

MD5 f51f5958745b17fdbd1c8868aa693a5e
SHA1 08dbb2be1ebfa9811901440fdec933789c33294c
SHA256 225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3
SHA512 ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e

memory/3068-20-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/3068-19-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:24

Reported

2024-06-20 14:27

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fsmgmt.dll C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2132-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2132-1-0x0000000000700000-0x0000000000730000-memory.dmp

memory/2132-2-0x0000000000730000-0x0000000000732000-memory.dmp

memory/2132-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2132-5-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2132-4-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2132-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2132-9-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/2132-8-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2132-7-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2132-13-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2132-14-0x0000000000700000-0x0000000000730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat

MD5 f51f5958745b17fdbd1c8868aa693a5e
SHA1 08dbb2be1ebfa9811901440fdec933789c33294c
SHA256 225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3
SHA512 ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e