Malware Analysis Report

2025-08-05 10:49

Sample ID 241017-a2l36awcpm
Target 4fed00db2bbf416c842456af8976d68d_JaffaCakes118
SHA256 f68066e419126c947ba01e6283351add30e0d98b45279f56d398276879aa7b5a
Tags
discovery bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

f68066e419126c947ba01e6283351add30e0d98b45279f56d398276879aa7b5a

Threat Level: Shows suspicious behavior

The file 4fed00db2bbf416c842456af8976d68d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery bootkit persistence

Writes to the Master Boot Record (MBR)

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 00:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 00:42

Reported

2024-10-17 00:45

Platform

win7-20241010-en

Max time kernel

0s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe

"C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe"

Network

N/A

Files

memory/1688-1-0x0000000000430000-0x0000000000452000-memory.dmp

memory/1688-0-0x0000000000430000-0x0000000000452000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 00:42

Reported

2024-10-17 00:42

Platform

win10v2004-20241007-en

Max time kernel

1s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe

"C:\Users\Admin\AppData\Local\Temp\Debut.video.capture.software.1.crack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4336-0-0x0000000000A90000-0x0000000000AB2000-memory.dmp

memory/4336-1-0x0000000000A90000-0x0000000000AB2000-memory.dmp