Malware Analysis Report

2025-08-06 01:36

Sample ID 241016-zxyzlawerk
Target 4f07f680176fd270e11e175614d590e9_JaffaCakes118
SHA256 f2967a77251732f2472f8063692f5c126125dd5386a62a1a130d6b35c7a3729f
Tags
discovery bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f2967a77251732f2472f8063692f5c126125dd5386a62a1a130d6b35c7a3729f

Threat Level: Shows suspicious behavior

The file 4f07f680176fd270e11e175614d590e9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery bootkit persistence

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:06

Reported

2024-10-16 21:09

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\disvc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\disvc.exe C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\disvc.exe C:\Windows\SysWOW64\disvc.exe N/A
File created C:\Windows\SysWOW64\disvc.exe C:\Windows\SysWOW64\disvc.exe N/A
File created C:\Windows\SysWOW64\disvc.exe C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\disvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sysremove.bat" "

C:\Windows\SysWOW64\disvc.exe

"C:\Windows\system32\disvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2344-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2344-1-0x0000000000620000-0x0000000000663000-memory.dmp

memory/2344-9-0x0000000002360000-0x0000000002361000-memory.dmp

memory/2344-6-0x00000000022F0000-0x00000000022F2000-memory.dmp

memory/2344-4-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2344-3-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2344-8-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2344-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

memory/2344-5-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/2344-2-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/2344-13-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2344-12-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2344-15-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2344-14-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2344-10-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2344-11-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

C:\Windows\SysWOW64\disvc.exe

MD5 4f07f680176fd270e11e175614d590e9
SHA1 c1afef4bd8eace84c8ffca1c2c4afb8636ddf12e
SHA256 f2967a77251732f2472f8063692f5c126125dd5386a62a1a130d6b35c7a3729f
SHA512 5b2046b420987f6e0296687347379fab3117fe1331e72bcb551b43ea3e28c60f942ed9de233891549d3dd4479021bb768d38c396c946336449dc3058e7efa604

memory/5044-24-0x0000000000820000-0x0000000000863000-memory.dmp

memory/5044-26-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2344-25-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysremove.bat

MD5 159dfc836a06544da98ef7e74951a258
SHA1 647aefe97c3fea310cfa33bd098d41d54d6f1edb
SHA256 bec73991d0a6a300ffe77ef60ae75a182371c4e1f162d7d9b04654ceb0901779
SHA512 fb6a6e64587da77277b19eeef35893be51df52ef3f4ecbef7941209b05b383c8816c893e31f575fb2d32a9f89fd84a645a8b39728670447aa91ed306e1ac7002

memory/5044-30-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/5044-29-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2344-28-0x0000000000620000-0x0000000000663000-memory.dmp

memory/5044-34-0x0000000002360000-0x0000000002361000-memory.dmp

memory/5044-33-0x0000000002370000-0x0000000002371000-memory.dmp

memory/5044-32-0x0000000002380000-0x0000000002381000-memory.dmp

memory/5044-31-0x0000000002350000-0x0000000002351000-memory.dmp

memory/5044-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5044-37-0x0000000000820000-0x0000000000863000-memory.dmp

memory/5044-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5044-40-0x0000000000820000-0x0000000000863000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:06

Reported

2024-10-16 21:09

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\disvc.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\disvc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\disvc.exe C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\disvc.exe C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\disvc.exe C:\Windows\SysWOW64\disvc.exe N/A
File created C:\Windows\SysWOW64\disvc.exe C:\Windows\SysWOW64\disvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\disvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f07f680176fd270e11e175614d590e9_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sysremove.bat" "

C:\Windows\SysWOW64\disvc.exe

"C:\Windows\system32\disvc.exe"

Network

N/A

Files

memory/2168-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2168-1-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2168-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2168-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2168-9-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/2168-8-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2168-7-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2168-6-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

memory/2168-5-0x0000000000620000-0x0000000000621000-memory.dmp

memory/2168-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2168-13-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2168-14-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2168-15-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/2168-18-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/2168-17-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2168-16-0x0000000001F10000-0x0000000001F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysremove.bat

MD5 159dfc836a06544da98ef7e74951a258
SHA1 647aefe97c3fea310cfa33bd098d41d54d6f1edb
SHA256 bec73991d0a6a300ffe77ef60ae75a182371c4e1f162d7d9b04654ceb0901779
SHA512 fb6a6e64587da77277b19eeef35893be51df52ef3f4ecbef7941209b05b383c8816c893e31f575fb2d32a9f89fd84a645a8b39728670447aa91ed306e1ac7002

C:\Windows\SysWOW64\disvc.exe

MD5 4f07f680176fd270e11e175614d590e9
SHA1 c1afef4bd8eace84c8ffca1c2c4afb8636ddf12e
SHA256 f2967a77251732f2472f8063692f5c126125dd5386a62a1a130d6b35c7a3729f
SHA512 5b2046b420987f6e0296687347379fab3117fe1331e72bcb551b43ea3e28c60f942ed9de233891549d3dd4479021bb768d38c396c946336449dc3058e7efa604

memory/2168-35-0x0000000003190000-0x000000000320F000-memory.dmp

memory/2656-36-0x0000000000270000-0x00000000002B3000-memory.dmp

memory/2168-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2656-39-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/2656-38-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2656-37-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2168-33-0x0000000003190000-0x000000000320F000-memory.dmp

memory/2656-42-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2168-45-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2656-46-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2656-44-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2656-43-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2656-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2656-49-0x0000000000270000-0x00000000002B3000-memory.dmp

memory/2656-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2656-52-0x0000000000270000-0x00000000002B3000-memory.dmp