Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-rzqr1aykcw
Target 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118
SHA256 7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc
Tags
bootkit discovery evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc

Threat Level: Likely malicious

The file 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 14:38

Reported

2024-10-31 14:43

Platform

win7-20241010-en

Max time kernel

72s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\merrsend.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\merrsend.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\merrsend.exe

merrsend.exe ABABB996AAABABEEAEABAB73A8FFC3D9CECACFE2EF8B9A9C989D8BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9A9C989DA6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B999A9F9FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B999A9D93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B99999E9DA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9998999FA6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 920

Network

Country Destination Domain Proto
DE 82.165.134.202:80 tcp

Files

memory/2116-0-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

memory/2116-6-0x0000000000401000-0x0000000000465000-memory.dmp

memory/2116-8-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-5-0x0000000004480000-0x0000000004482000-memory.dmp

memory/2116-9-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-4-0x0000000004470000-0x0000000004471000-memory.dmp

memory/2116-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/2116-10-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-11-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-12-0x0000000000400000-0x0000000000A73000-memory.dmp

\Users\Admin\AppData\Local\Temp\merrsend.exe

MD5 7beeb35c3bde8caab110b5dc3a45218c
SHA1 fa36661a88ec5d68b9bec81dc7e216a3ed696aae
SHA256 62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a
SHA512 cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795

memory/2116-19-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2116-22-0x0000000000400000-0x0000000000A73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 14:38

Reported

2024-10-31 14:42

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\merrsend.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\merrsend.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\merrsend.exe

merrsend.exe ABABB996AAABABEEAEABAB7DA8FFC3D9CECACFE2EF8B9A9C93938BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9C9B93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B929B93A6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9A9C9393A6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B9F93939FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9E9B9B9FA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1824

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 82.165.134.202:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4224-0-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-1-0x00000000775E4000-0x00000000775E6000-memory.dmp

memory/4224-7-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-6-0x0000000000401000-0x0000000000465000-memory.dmp

memory/4224-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/4224-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/4224-3-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4224-9-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-10-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-11-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-12-0x0000000000400000-0x0000000000A73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\merrsend.exe

MD5 7beeb35c3bde8caab110b5dc3a45218c
SHA1 fa36661a88ec5d68b9bec81dc7e216a3ed696aae
SHA256 62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a
SHA512 cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795

memory/4224-17-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2704-18-0x0000000072DC2000-0x0000000072DC3000-memory.dmp

memory/2704-19-0x0000000072DC0000-0x0000000073371000-memory.dmp

memory/2704-20-0x0000000072DC0000-0x0000000073371000-memory.dmp

memory/4224-21-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/4224-22-0x0000000000400000-0x0000000000A73000-memory.dmp

memory/2704-23-0x0000000072DC0000-0x0000000073371000-memory.dmp

memory/2704-25-0x0000000072DC0000-0x0000000073371000-memory.dmp