Malware Analysis Report

2025-01-22 12:45

Sample ID 240623-bfxs7sxcjk
Target 04af84a30f644482205085fc99d2168c_JaffaCakes118
SHA256 2951824bbbdbee11738877cb83e02c705af9aaa03d8c63aaa68fb63984475bfe
Tags
aspackv2 bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2951824bbbdbee11738877cb83e02c705af9aaa03d8c63aaa68fb63984475bfe

Threat Level: Shows suspicious behavior

The file 04af84a30f644482205085fc99d2168c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 bootkit persistence

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 01:05

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 01:05

Reported

2024-06-23 01:08

Platform

win7-20240220-en

Max time kernel

122s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ecbjroi.sys C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C0413F01-30FC-11EF-AD30-660F20EB2E2E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ee81cdf8fd56428f4af2b95ee47d0e0000000002000000000010660000000100002000000025afa3d1bedb533d9439777840fda5eae4e0d79df082d8ba3e4d3ec638db92b5000000000e8000000002000020000000c99e1fae8b9837e42adcb070593411e2c7e091d18572707da5cf81e3989d035e90000000f2ec27c0c4441e212dbaed51304779cb7315bfa80c3bbc838497d537aa1344e863dffdef8a4c565c0db8a081df77c220099ebcdfbde616ee5c83fa946c5e629b4a43b1c70172200eab01386c4b09c726486f231fc6ce1507e4691b5fc607be29c0ef6580d716915a60cd4c0534728ccec55cec6d55bdc9ac50bbb0e48235f372f76784e78ce59c887de601f1eddd3e4840000000104d7217982c6c9ebf2f141c782397a9c159a1cedc686205b899d608153410c1b69dcd7951709df70b70e9e8613c9c1c010ab1320885b9d1de67c9fbb2485774 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ee81cdf8fd56428f4af2b95ee47d0e000000000200000000001066000000010000200000006f6133dad1e04dd648a47a2dc160c68d630df976621a365cb5fd3572d5b553b7000000000e8000000002000020000000d0ad397746bd97cf9e65c5a32325f0aedcb07fa3addee4d192b277a20df8098b2000000016c89c78384bc20b347c712bb881d6d2349f1329d61d296a9f5254cd3c7e9a5640000000899b6f06667befd1917705303ff382dc7037774b6619bd6e5dc3f7c759f22ca86dac9cc28bafe31d1853e49b52fee99ff2f3bd5c03fbfd547309a440892e1088 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fe6a9709c5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425266626" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2088 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2088 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2088 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2656 wrote to memory of 2428 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2428 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2656 wrote to memory of 2428 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2428 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2428 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2428 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2428 wrote to memory of 2460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" http://www.51cfwg.com

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.51cfwg.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnfpg.net udp
US 8.8.8.8:53 www.51cfwg.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2088-0-0x0000000000400000-0x00000000005E9000-memory.dmp

memory/2088-13-0x0000000000400000-0x00000000005E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5D7D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar5E6F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cb32b18e382d3203814780bd5974041
SHA1 859c9a19705e1e2398ff327f2ef4ab050d28ff8e
SHA256 6464c415a7668b27ee14b492d871606584850d2a6d2849a9f26a8d7926742128
SHA512 3e5e2328870e534baaa8c14c5c1c48ad9d369fa4acb858ca5527ad5ea9141580f0e3bdd9622ac425c100a77b18dca594bd545a10d334acda102956dc95cea1d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61d1aff3d7da60f22449a9eed90c175b
SHA1 f2bd84b27f4e20f73fc86db8a6fd00931fac89fc
SHA256 7b7c3a237d9675884e173a4c3ca1f40d6c776f256a4744e51c731890d65105b7
SHA512 2ea8da3248e219cc50424487ecbdf4582d381af177ae1057f3b4a352a4da6176df431c9048422c8d3b033e41e8eed2ebf00779b77ad4bdf40b5b578b7a4b2a65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a79ed5cd9531afc28b1674f558f02fd
SHA1 3c6aff7d7e8009ae1d598488a34cc48cac7f4654
SHA256 96599ced96aee1558878946550942e00c81f99868207e11b23b42c3a5f488201
SHA512 384f92de09bd97238fde5bd93a072d9043463ee27fda1a07bcd066bddb75a1f5f32dac286267163e65b5d13a9b0e90f4b5d369a992b1d9a6edbfe0b32ffd3e9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3737bc2af38f407b193a9777f486d68b
SHA1 036a00f0fc4135de13b2585ef2f691116cd7ae6e
SHA256 60f69bbdde854392a9a18f08911b90a96233f1bacd18b7c75bf51820ad71b39b
SHA512 a8f1e35b7ea224e37c4d53888bb45b30d83124fd0c9f5a08e3ad5b02da0655ea076f217e24a70355036b3ecacd05ca66403dc3e71c1dfd88a1c4159b8c5e2473

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47f4e1c02d9d4957a134e11af22110ef
SHA1 f5cd069a81a15c06cdb5d1873c83eb1de074d7d1
SHA256 3d27c8aa90072fb00e520b9990aef8c6a3016474f3338aa43f7847a18267b6a0
SHA512 71c60ca45155e8753dcf68a489730beab20f90d20d784144fe339402c61ed9ef5e1da7a612a2266cec3212baaed9d5ee8c2fa141069a44740e7388880dfb688f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ab135cc4b657cb5cfd3605ec468d332
SHA1 4bde92b621e02aafc0e9dba48d21751eac582f59
SHA256 6dc00acc56bb4216249b8b5eb1138947c7051a946338dfb740be14c3e0c26661
SHA512 1f3f93f6919c6893b3176871ebd1386bdcddef85efa288d637d9f4f0488d279d4a477cba9384f55877b2b9f6505cf9865901ea683626f3e2e12616b3d2e729c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8f4e0e22c91df6eaaa568ccb66d3832
SHA1 685b2d87799227d2eb124cbdf2403bd0e49d674a
SHA256 f5a693b2345c259c40567d124a0a7624f1efa5691ab0dc3595247788388a1739
SHA512 c9dae476b5e7825fbd1c3d2913bcdb9d0677fdebfb63f14696a3318b071b202f825e5466da3aa2d5cf4ed0a172d6b8fa1192ddf682e947acc4d56d768b3eb4a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 957b30b61bd8f31d5d4dc063ec50199b
SHA1 16005447cf45ad6bb74497221062b02c8a776d51
SHA256 d34a0298361c7583ec449e40e0b063f1787d726cddc5231cb39fc887ca214dde
SHA512 d19c9d9afa58fc16d099f03d4dfc022ee00b22e30947310fd6954cdfb9e394e10ef9545957e2036ac08cb7fb047f7b86c7eb4dad2ca9171924dc026834b48ba4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7742cfefcbcd5dfa68aeeb5ecb9af60
SHA1 dde232e1074699077fd48389c599dbe365c8d542
SHA256 f8692a9c5453dc5fb4303b502fc88e28fde054594419149bd95bdba057ea3c6c
SHA512 90905d603abe323017b833a46f35363fa5727b27375327efce5722a56860ac382a625fff8c49f34836b3a54b3c3cf3cb4708bf3ff9d6789870a5abbedae25127

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ca73a8f124daa2c904a22b9188d6354
SHA1 25cffc690d439981d98384cf6ba2f23ea1795c8c
SHA256 76a7f267009a45e3b8619d9e9215a08f4ea7eda9b61c8b56057c7597d8f044e4
SHA512 1b72c42b0b5442705f3a9ddeee1c16bd4a1b45d9641d2eb8eaeed8b0da5e1851f3c547a1bce693f965d94fefa18ef49da42419a3f117f0217dc846237993dd23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e24cc8acbb753ed81292df8d1322a32
SHA1 334b3ab4407354edb0788f2dc086eda0f8bce08e
SHA256 4aa3adc663f25fd1d8a5aa598205fa2c50064988b86227504fefdae9fb93e943
SHA512 97504dfa1503785d7a848d9beb9b459722be03861946b47e56141e92cb57f513305eb5bff01afc6f658d4f8fc6fefb31e46031c240fbca85bb6f5a0ac85492e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec6d18a68c9b64f19f334d59e6407cef
SHA1 cd627725765b6555aebee436c69cb4979a444b49
SHA256 a0bea140653fb4cec8e66c05d65accebd65ccb39e017917f3c370ec97e40c6d8
SHA512 3a1abf7d664e149ffc9d021f7b585f1eafd09ff434f119c7a00eb52cfcce3809a74ef83f6041754867f06b8e68da2b88e5706222c2cd2e049b8151674ff50a56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f33888cd3297cb2801d69ea7d8c26b0a
SHA1 3f38a9e400a40566f2d77e373a39076ee9495e29
SHA256 afc5b5218510cf0425fe19eb4eced210f10dfabdc09c1646e7fd3f5a118922d6
SHA512 8fae482bac0b2ebf0db54a7ec9d78fa6250ee676f4db817fd474c2732fc863d938fe5f6254e3aeb99557d0f078b48b400c9657089d4701835fd798f991b128ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b807e53fc114574a7198f5096a06f8f
SHA1 57c899b74683ce4a0baf059e1cf8247f751a090f
SHA256 19603670b37189e9bdf7b8f89770c28b96192190f78d2224f4b92a7940819e36
SHA512 ac26f42f79f66ff2087ac99b5a828bb408b2b8840c98e7e933bd8b6d96c7c2623578f91d5eaae0f441850371b937a392a242e74fbca6ae2852895975b5a271c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec48a0d61355ae247339ee7ac1882921
SHA1 74717b24434b329d989983513f0d37765f3cc235
SHA256 13f8cf96a7186a701854be0a64623dc7fad51d33143581d52caea6fe4d564536
SHA512 92160099e92725855ecc8122165639c24422e7c3a8793ae5ac0f3545ab4ae3d44c12c06454bcd9a0c2c37918d4f886ac38222d9b4d2937439489831aad2d6bed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0dae174c74a905ee18d28584ec5d22e
SHA1 42a3179855b530e6ffdc8b1fb289a53be0df692d
SHA256 72d3a292363a549a247135e7f581bc30985011092350f8fc5b08ac046ddc6653
SHA512 c8fdd9862bdf686c1b2354c7c3ce38599f3f40790f549e3fff461e0a2fa6c9e634431053217ae70c11c595c41db66388526da04d2ae30ad06fcb93a1b118314d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1f90f95f21a4d29829aaaccf683223e
SHA1 4acab7a1e0c70461bbfadeb99c3290f525b3f2ae
SHA256 5c6bb3edb98eaa9e0467faec4c816743a725d75c28e25e1d000bc9281fe899ab
SHA512 5bf79727333c5d008b05bb6b222cd6d9fa25d939f0a9e000ca5d7f24bc906e28e05e2d362f767baaf976a6e57911acdb35201127f509218d496467cde47db5ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7528ca679368a5c9229df98941f1b20
SHA1 7f7a40c3efe8a2e12d73316f5d1dbbe0f91d65ab
SHA256 f32842550e7017fd8dbcfbdaff43fe2ccb7e68fb2a7bb3f7c9ac7cabc367c80a
SHA512 870fc53806dfa22e8d2f28f558fccb652af174f7a0fd76a867a08825e61d7362d2331c3071c9bdd7c7146d87a366df2afb153f3c8ada2313edcea3fbe45164b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31b97e4b31aa9e9b214c5edf276795d1
SHA1 16991d1a6d0e13e068ba28a9057d7cb873a79b2a
SHA256 1b0dfbb8c5355f017b13fa56a28b2f3260e3aaca28cf7218ff8e717df4007ce6
SHA512 9a6b2b685a41e14bb102ee7c8955ba59af52adeffa667a9d608d42467fab192f9f57110e9731c53a9d43c0f562ef36d5303acd2197f87fd8e04df0bfff90618e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 01:05

Reported

2024-06-23 01:08

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ecMAGrn.sys C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04af84a30f644482205085fc99d2168c_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnfpg.net udp
US 8.8.8.8:53 www.51cfwg.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/2552-0-0x0000000000400000-0x00000000005E9000-memory.dmp

memory/2552-14-0x0000000000400000-0x00000000005E9000-memory.dmp