Malware Analysis Report

2025-08-05 10:49

Sample ID 241017-cbzmnswdqc
Target 503b154050ce76040ccb90509af08ded_JaffaCakes118
SHA256 b5f3f9c38941a80a482fec7f66183828add12d9115c824b78c89ffbaae951996
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b5f3f9c38941a80a482fec7f66183828add12d9115c824b78c89ffbaae951996

Threat Level: Shows suspicious behavior

The file 503b154050ce76040ccb90509af08ded_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Writes to the Master Boot Record (MBR)

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:54

Reported

2024-10-17 01:55

Platform

win7-20240903-en

Max time kernel

3s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe

"C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2332-0-0x0000000000400000-0x00000000004AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\mbr-locker.exe

MD5 f907909c1e30c3e839096e7d4d090b2c
SHA1 0a99db4e4374dadbfb22610e826e68d3aa3fc376
SHA256 f31e5d50d7af3d92ce22acf0170943e2d825de609043ffbb8a7dd81c40a9fa9d
SHA512 583481e0f239587cd39c14fc4496137ffb8fdd58d8b7f37eb0fc6c720faf770aa6f9b6f1ba323e916536ff7f4594379004de3462150da973e9155b36cb65598f

memory/2332-6-0x000000002AA00000-0x000000002AA47000-memory.dmp

memory/2148-14-0x000000002AA00000-0x000000002AA47000-memory.dmp

memory/2332-12-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 55a6c5e8b47dc0777cf286fa1b3970d2
SHA1 c6b51d0028b78e0a5bb019285b14e3d25478632a
SHA256 5389ea291b867e7beed8516a9d534fdd91bfc3802512d5bd4b7823b702ba130c
SHA512 d5bc859ce5592a48ac708810d7240df448c860c97f98819b4cb45cd661365946ed31553a0c017e3dd1540915b98291561e184b273f7880ff112b6fad62846782

memory/2148-24-0x000000002AA00000-0x000000002AA47000-memory.dmp

memory/2912-27-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:54

Reported

2024-10-17 01:54

Platform

win10v2004-20241007-en

Max time kernel

4s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe

"C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3980855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp

Files

memory/3548-0-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe

MD5 f907909c1e30c3e839096e7d4d090b2c
SHA1 0a99db4e4374dadbfb22610e826e68d3aa3fc376
SHA256 f31e5d50d7af3d92ce22acf0170943e2d825de609043ffbb8a7dd81c40a9fa9d
SHA512 583481e0f239587cd39c14fc4496137ffb8fdd58d8b7f37eb0fc6c720faf770aa6f9b6f1ba323e916536ff7f4594379004de3462150da973e9155b36cb65598f

memory/5004-9-0x000000002AA00000-0x000000002AA47000-memory.dmp

memory/3548-10-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 55a6c5e8b47dc0777cf286fa1b3970d2
SHA1 c6b51d0028b78e0a5bb019285b14e3d25478632a
SHA256 5389ea291b867e7beed8516a9d534fdd91bfc3802512d5bd4b7823b702ba130c
SHA512 d5bc859ce5592a48ac708810d7240df448c860c97f98819b4cb45cd661365946ed31553a0c017e3dd1540915b98291561e184b273f7880ff112b6fad62846782

memory/5004-18-0x000000002AA00000-0x000000002AA47000-memory.dmp