Malware Analysis Report

2025-08-10 14:16

Sample ID 241016-c5l9faycqc
Target 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118
SHA256 829e8c5cb3aa8455f983872bb992e2e92966b940745e597c10742258c10b4173
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

829e8c5cb3aa8455f983872bb992e2e92966b940745e597c10742258c10b4173

Threat Level: Shows suspicious behavior

The file 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks installed software on the system

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:39

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:39

Reported

2024-10-16 02:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\ProgramData\37wan\wy\wy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\37wan\wy\wy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\37wan\wy\wy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\ProgramData\37wan\wy\wy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe
PID 1936 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe C:\ProgramData\37wan\wy\wy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"

C:\ProgramData\37wan\wy\wy.exe

"C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun

C:\ProgramData\37wan\wy\wy.exe

"C:\ProgramData\37wan\wy\wy.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 iframe.ip138.com udp
CN 110.81.155.138:80 iframe.ip138.com tcp
US 8.8.8.8:53 wy.37wan.com udp
CN 42.194.172.182:80 wy.37wan.com tcp
CN 59.57.14.11:80 iframe.ip138.com tcp
CN 110.81.155.137:80 iframe.ip138.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp

Files

\ProgramData\37wan\wy\wy.exe

MD5 b18c3fbda7f860cacd7009ca0b0a50c2
SHA1 2a5ee5d73b29dc2e072b25192acdf18931acc1c8
SHA256 5850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb
SHA512 c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667

\ProgramData\37wan\wy\uninst.exe

MD5 c1c0b7d9d1c3774db756dbf800fa7e96
SHA1 4ca05b1e96bf3045c6361fa743f4ec0ccc6f625c
SHA256 02308440ae87d5560305623ff4e4e9296cc36e565bc3d4a209d51952bfb3b3b5
SHA512 70d8b1ac41f59d5a829b5f54c6b7e01036026915e3beaf7bcecbde95e54974ad4f1e1bc8497db3d55e20d87436b98b1e25c6dc03a8c8e786e30e6845d277dfde

C:\ProgramData\37wan\wy\lander.ini

MD5 fe609059a9a3871184f86b1825599c19
SHA1 16e1a7b1381c9bd3aa78aa416db8d1429706e53c
SHA256 517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f
SHA512 11a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6

C:\ProgramData\37wan\wy\lander.ini

MD5 d218c8f7335bbae0c2bf07b9b4f784f0
SHA1 5b7b513ca3e81c167ccdfcac615295056cfa2dee
SHA256 3b0eabe6f8e72e8490ef064587dc81217401c6a2b01ed511bbe77603447d722c
SHA512 99fda78be5f94ef8616ba126557f17609a731768cde7ca53df5740a7ad56841baf587b29649f5265836bf992671cd02a31ff99b8e86ec2c6d75a374e3d2e9d0b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:39

Reported

2024-10-16 02:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\ProgramData\37wan\wy\wy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\37wan\wy\wy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\37wan\wy\wy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A
N/A N/A C:\ProgramData\37wan\wy\wy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"

C:\ProgramData\37wan\wy\wy.exe

"C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun

C:\ProgramData\37wan\wy\wy.exe

"C:\ProgramData\37wan\wy\wy.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 iframe.ip138.com udp
CN 110.81.155.137:80 iframe.ip138.com tcp
US 8.8.8.8:53 wy.37wan.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 42.194.172.182:80 wy.37wan.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CN 110.81.155.138:80 iframe.ip138.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 59.57.14.11:80 iframe.ip138.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\37wan\wy\wy.exe

MD5 b18c3fbda7f860cacd7009ca0b0a50c2
SHA1 2a5ee5d73b29dc2e072b25192acdf18931acc1c8
SHA256 5850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb
SHA512 c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667

C:\ProgramData\37wan\wy\lander.ini

MD5 fe609059a9a3871184f86b1825599c19
SHA1 16e1a7b1381c9bd3aa78aa416db8d1429706e53c
SHA256 517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f
SHA512 11a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6

C:\ProgramData\37wan\wy\Lander.ini

MD5 b5fca1e229e9c2dc0925cc02a0aa21dd
SHA1 d1f503e783aaddcb9838a3a073436d1e66e547ff
SHA256 99c7d43f49d7439bb4ce604dfafbe5af180cb970fb9462e08b1b01faaea7c98e
SHA512 d3133baa027bf2fbb48e74e80c19c7d5cb45c34a030286b3f320e141d3596d4ebad9e762614759d240fd9262be9a05520b0fc7195cc6e0254db1aa1fb1dd5f78

C:\ProgramData\37wan\wy\lander.ini

MD5 95e5562252aa4837dcaf35879f8aaa3b
SHA1 0b5be2ec702acf16a340459a50fbd9b2e3f71ef8
SHA256 1d66d299c0fc7d316942acb43a9226bfba4dc36bdb71d24ee626e2f3e6142d28
SHA512 1b5774389df95e346b5ebc68532beb2238f5bbde1f4261467765bc75d62b73aa6d05b4f1b6aa793f0d8c18b057a0bf494bac3f505065c40b95c1047cf09b2c49

memory/3236-35-0x0000000003000000-0x0000000003001000-memory.dmp

memory/3236-36-0x0000000003000000-0x0000000003001000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 02:39

Reported

2024-10-16 02:42

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wy.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wy.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\wy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wy.exe

"C:\Users\Admin\AppData\Local\Temp\wy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wy.37wan.com udp
CN 42.194.172.182:80 wy.37wan.com tcp

Files

C:\ProgramData\37wan\wy\Lander.ini

MD5 3cae722a37d3cffdf71647fbf7b50f56
SHA1 44906fea32090d13b297a32f1141aa101a14d238
SHA256 acc9689be70a19f34911e0505a8c96df28e50365df419e543fbba28531e4341c
SHA512 d58698799af977335e2c7bc3284905bd8e684e4fd4dc00f29537a9e5f1019e4ca94a404c7760e5650d45de921513bf7c4eaef833f76228b722b966de7edf8639

memory/1292-7-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1292-8-0x0000000000140000-0x0000000000141000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-16 02:39

Reported

2024-10-16 02:42

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wy.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wy.exe

"C:\Users\Admin\AppData\Local\Temp\wy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wy.37wan.com udp
CN 42.194.172.182:80 wy.37wan.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\37wan\wy\Lander.ini

MD5 3cae722a37d3cffdf71647fbf7b50f56
SHA1 44906fea32090d13b297a32f1141aa101a14d238
SHA256 acc9689be70a19f34911e0505a8c96df28e50365df419e543fbba28531e4341c
SHA512 d58698799af977335e2c7bc3284905bd8e684e4fd4dc00f29537a9e5f1019e4ca94a404c7760e5650d45de921513bf7c4eaef833f76228b722b966de7edf8639

memory/3564-7-0x0000000003160000-0x0000000003161000-memory.dmp

memory/3564-8-0x0000000003160000-0x0000000003161000-memory.dmp