Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-rzygvaseqg
Target 06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118
SHA256 7163289819944f0a3a47a1f9b9b01830929402d89dcf64bb442ca5f769f90904
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7163289819944f0a3a47a1f9b9b01830929402d89dcf64bb442ca5f769f90904

Threat Level: Shows suspicious behavior

The file 06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:38

Reported

2024-06-20 14:41

Platform

win7-20240508-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\avp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\od3mdi.dll C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\delplme.bat C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\avp.exe C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe"

C:\Windows\avp.exe

C:\Windows\avp.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c delplme.bat

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x0000000000457200-memory.dmp

memory/2172-5-0x0000000000240000-0x000000000028A000-memory.dmp

memory/2172-3-0x0000000000240000-0x000000000028A000-memory.dmp

\Windows\SysWOW64\od3mdi.dll

MD5 29dba25d4a03a0b6abdd6a4f8c94a844
SHA1 307d068001e969ae8cd787e8ff9f0767fde069a1
SHA256 c4cae2a11d718bcbe8479b34cdd02d6d2176498e41816eccf7b4f2c118995626
SHA512 95bf7fdf589aead88f67bf64d1720c6b4f4e7492030599461492d22e3c3ef7a9e6f9d922d784f3c6742f6809e46c82deab4053281f0374d741d54b10613ab363

C:\Windows\avp.exe

MD5 addfcb0cdc0704d0fb25cebf65e405d2
SHA1 df1ef696de60ddc00a81a060e55845e786870787
SHA256 7340510710f095f05b02fbb5253e023d6a138da6efd6d3cf016f19c278440d44
SHA512 13928acc4df43e1ca18106acc16e32a06bfc51e4ca67f9da656432ead266636e3aaac98e4778d8d9d5af9aedca50b43f9b8e6fe20022e023d64b0860b66aae54

C:\Windows\SysWOW64\delplme.bat

MD5 81137e5627f3567f59574d405ad06cbd
SHA1 65cabcff1f0c4c64f86680ff274e77558f2dd4ff
SHA256 608cf5914a47d0207d1c23b9aca3705d25ba8fea5c8079b73ed6fd9d5ce55a70
SHA512 cd4581a2a347300f11b98add4f47514d8ce9d13472af7ecbc6de817f08ecec51a2b7473231c34b49367354a77e1b71ad08d1921bffddd38cfd600348b071d6ca

memory/2172-16-0x0000000000400000-0x0000000000457200-memory.dmp

memory/2464-17-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-18-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-19-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-20-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-21-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-22-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-24-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-25-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-26-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-27-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-28-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-29-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2464-30-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:38

Reported

2024-06-20 14:41

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\avp.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\od3mdi.dll C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\delplme.bat C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\avp.exe C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06e6778a2567421ebfbfe0e74510bab8_JaffaCakes118.exe"

C:\Windows\avp.exe

C:\Windows\avp.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delplme.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1356-0-0x0000000000400000-0x0000000000457200-memory.dmp

C:\Windows\SysWOW64\od3mdi.dll

MD5 29dba25d4a03a0b6abdd6a4f8c94a844
SHA1 307d068001e969ae8cd787e8ff9f0767fde069a1
SHA256 c4cae2a11d718bcbe8479b34cdd02d6d2176498e41816eccf7b4f2c118995626
SHA512 95bf7fdf589aead88f67bf64d1720c6b4f4e7492030599461492d22e3c3ef7a9e6f9d922d784f3c6742f6809e46c82deab4053281f0374d741d54b10613ab363

memory/1356-5-0x00000000005D0000-0x000000000061A000-memory.dmp

memory/1356-7-0x00000000005D0000-0x000000000061A000-memory.dmp

memory/1356-8-0x00000000005D0000-0x000000000061A000-memory.dmp

C:\Windows\avp.exe

MD5 addfcb0cdc0704d0fb25cebf65e405d2
SHA1 df1ef696de60ddc00a81a060e55845e786870787
SHA256 7340510710f095f05b02fbb5253e023d6a138da6efd6d3cf016f19c278440d44
SHA512 13928acc4df43e1ca18106acc16e32a06bfc51e4ca67f9da656432ead266636e3aaac98e4778d8d9d5af9aedca50b43f9b8e6fe20022e023d64b0860b66aae54

memory/1356-16-0x00000000005D0000-0x00000000005D7000-memory.dmp

memory/1356-15-0x0000000000400000-0x0000000000457200-memory.dmp

C:\Windows\SysWOW64\delplme.bat

MD5 81137e5627f3567f59574d405ad06cbd
SHA1 65cabcff1f0c4c64f86680ff274e77558f2dd4ff
SHA256 608cf5914a47d0207d1c23b9aca3705d25ba8fea5c8079b73ed6fd9d5ce55a70
SHA512 cd4581a2a347300f11b98add4f47514d8ce9d13472af7ecbc6de817f08ecec51a2b7473231c34b49367354a77e1b71ad08d1921bffddd38cfd600348b071d6ca

memory/5052-18-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-19-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-20-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-22-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-23-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-24-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-26-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-27-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-28-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-29-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-30-0x0000000000400000-0x000000000040D000-memory.dmp

memory/5052-31-0x0000000000400000-0x000000000040D000-memory.dmp