Malware Analysis Report

2025-08-10 14:16

Sample ID 241016-bdke4avbrb
Target 4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118
SHA256 4b0dff2b9e815c7a4ffacfaac103564af2e8b38235823b08344c56033b6d4dff
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4b0dff2b9e815c7a4ffacfaac103564af2e8b38235823b08344c56033b6d4dff

Threat Level: Likely malicious

The file 4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 01:01

Reported

2024-10-16 01:04

Platform

win7-20240903-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\WEeeKuJS.dll C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetMeeting Service\Parameters\ServiceDLL = "%SystemRoot%\\system32\\drivers\\etc\\WEeeKuJS.dll" C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ZzDQCEd23g.ini C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ZzDQCEd23g.del C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 yzyd0000.3322.org udp

Files

memory/2544-3-0x0000000000400000-0x000000000040F000-memory.dmp

\Windows\System32\drivers\etc\WEeeKuJS.dll

MD5 75d7e09e71b34b987f6065b1fd754d87
SHA1 dbebf7c4fcc1885a8e5ac834d9672548b7a425cc
SHA256 3a6747d29e1c3f84ab43829c8bb8eda6d4536cb9aaec196539fbe70adfbb1899
SHA512 6c1b29d3770c54c5c32253266bc81628410b755ea19625180eb7d74e5f1ee3cec8f3f3c1ca1f6f56eb84984aabc66a65e290a103c9d38a91b46acdfee09ab3d2

memory/2376-6-0x00000000001E0000-0x0000000000206000-memory.dmp

C:\Windows\SysWOW64\ZzDQCEd23g.del

MD5 aa92b8689b0e6e1f412343a07c73af77
SHA1 9e7d7bab97770fcf39ba578374de06a643f53cb6
SHA256 dbafdb381f191f4816017a0df33064e25809f6cd6397c1116db88ca4e4fb31aa
SHA512 1803759ed05f945e5ff1e8f96028d640cf5fdbe4a79cc81cccba28e7f4c235c572df2c82e6e7b47d97ab960376e0820ff121c2aa8cdff15b50127fe33159ed4d

memory/2544-8-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2376-9-0x00000000001E0000-0x0000000000206000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 01:01

Reported

2024-10-16 01:04

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 220

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A