Malware Analysis Report

2025-08-11 07:36

Sample ID 241015-316qdstcma
Target 4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118
SHA256 4fb5d550e999dbd751beea4ad677ded8157fca2a5de8c36534954b78d21f4e00
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

4fb5d550e999dbd751beea4ad677ded8157fca2a5de8c36534954b78d21f4e00

Threat Level: Shows suspicious behavior

The file 4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Writes to the Master Boot Record (MBR)

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 23:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 23:59

Reported

2024-10-16 00:02

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wxrobot.cc udp

Files

C:\Users\Public\Documents\XMUpdate\conf.db

MD5 aa2a17254f7a9a728e8463f2f61f3c98
SHA1 3df559a6187e3ec9f56154f4596fee89f4d874c6
SHA256 bd790ad3a226d40fa9e40aab3405f8b08d840e19dd16e12348399ca7d6fbd3a1
SHA512 0c3373a235c42dc7826235e820d1ef7e7ff47cefd978a9241046564abcf345b93dfa664b1fd125c2a5e9869a31939817f7d8842b5f54b859991b92d4d1942526

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 23:59

Reported

2024-10-16 00:02

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.wxrobot.cc udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Public\Documents\XMUpdate\conf.db

MD5 85635cd7bf60dacfe7f04516bd7aedda
SHA1 ad8c7aaf4d32f1facbdd8f30652242cb01432f7f
SHA256 f0201e7fc0d3c58431afd58174690a6484b53242ed042387dcc72d9541531cfa
SHA512 f5b4665ff4fa38a96725e875b73aef4dd29aba3cbf641cf569c3472d171924ff623e5ec7f8f88f5ff89d4962aa077e058256ea0fdc274ed712fecb17ccc835d6