Malware Analysis Report

2025-08-06 01:37

Sample ID 241016-29vh2ssbrq
Target 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118
SHA256 6480fbf1471d7e15eee5c76993e1c05de0e81c5f522d12ef7efaa3a33df03b62
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6480fbf1471d7e15eee5c76993e1c05de0e81c5f522d12ef7efaa3a33df03b62

Threat Level: Shows suspicious behavior

The file 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Unexpected DNS network traffic destination

Writes to the Master Boot Record (MBR)

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 23:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 23:17

Reported

2024-10-16 23:19

Platform

win7-20240903-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 63.251.129.1 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 165.254.12.151 N/A N/A
Destination IP 210.144.5.163 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 165.254.12.151 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 210.144.5.163 N/A N/A
Destination IP 64.30.227.206 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 63.251.129.1 N/A N/A
Destination IP 207.126.105.146 N/A N/A
Destination IP 64.30.227.206 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 165.254.12.151:53 w64.ziyoulonglive.com udp
US 63.251.129.1:53 w64.ziyoulonglive.com udp
US 64.30.227.206:53 w64.ziyoulonglive.com udp
US 207.126.105.146:53 w64.ziyoulonglive.com udp
JP 210.144.5.163:53 w64.ziyoulonglive.com udp
US 165.254.12.151:53 tcp
US 63.251.129.1:53 tcp
US 64.30.227.206:53 tcp
US 207.126.105.146:53 tcp
JP 210.144.5.163:53 tcp
US 207.126.105.146:53 w65.ziyoulonglive.com tcp
US 207.126.105.146:53 w61.ziyoulonglive.com tcp
US 207.126.105.146:53 tcp
US 207.126.105.146:53 w63.ziyoulonglive.com tcp
US 207.126.105.146:53 w64.ziyoulonglive.com tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 127.0.0.1:8567 tcp
US 66.98.138.24:80 tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
US 66.98.138.24:80 tcp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.72.235.82:80 windowsupdate.microsoft.com tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 127.0.0.1:8567 tcp
US 66.98.138.24:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
N/A 10.127.0.158:80 tcp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.72.235.82:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 fe2.update.microsoft.com udp
US 4.154.131.238:80 fe2.update.microsoft.com tcp

Files

memory/580-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/580-0-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-2-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-3-0x0000000000020000-0x0000000000022000-memory.dmp

memory/580-4-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-5-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-6-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-7-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-8-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-9-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-10-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-11-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-12-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-13-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-14-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-15-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-16-0x0000000000400000-0x000000000044D000-memory.dmp

memory/580-17-0x0000000000400000-0x000000000044D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 23:17

Reported

2024-10-16 23:19

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 207.188.7.5 N/A N/A
Destination IP 210.174.204.115 N/A N/A
Destination IP 207.188.7.5 N/A N/A
Destination IP 210.103.175.1 N/A N/A
Destination IP 210.144.5.163 N/A N/A
Destination IP 210.144.5.163 N/A N/A
Destination IP 210.174.204.115 N/A N/A
Destination IP 62.151.20.7 N/A N/A
Destination IP 210.103.175.1 N/A N/A
Destination IP 62.151.20.7 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
ES 62.151.20.7:53 w65.ziyoulonglive.com udp
JP 210.144.5.163:53 w65.ziyoulonglive.com udp
JP 210.174.204.115:53 w65.ziyoulonglive.com udp
US 207.188.7.5:53 w65.ziyoulonglive.com udp
KR 210.103.175.1:53 w65.ziyoulonglive.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 7.20.151.62.in-addr.arpa udp
US 8.8.8.8:53 163.5.144.210.in-addr.arpa udp
US 8.8.8.8:53 115.204.174.210.in-addr.arpa udp
US 8.8.8.8:53 5.7.188.207.in-addr.arpa udp
US 8.8.8.8:53 1.175.103.210.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
ES 62.151.20.7:53 tcp
JP 210.144.5.163:53 tcp
JP 210.174.204.115:53 tcp
US 207.188.7.5:53 tcp
KR 210.103.175.1:53 tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
US 66.98.139.137:80 tcp
N/A 127.0.0.1:8567 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
US 66.98.139.137:80 tcp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.72.235.82:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 66.98.139.137:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:8567 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
N/A 10.127.0.113:80 tcp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.72.235.82:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 fe2.update.microsoft.com udp
US 4.154.131.238:80 fe2.update.microsoft.com tcp
US 8.8.8.8:53 238.131.154.4.in-addr.arpa udp

Files

memory/560-0-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/560-2-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-3-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/560-4-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-5-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-6-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-7-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-8-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-9-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-10-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-11-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-12-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-13-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-14-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-15-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-16-0x0000000000400000-0x000000000044D000-memory.dmp

memory/560-17-0x0000000000400000-0x000000000044D000-memory.dmp