0054d197aa97e397e40a525f3cde7bdbc5dfa72c898b46f8a0b8778958bc664e

Analysis

max time kernel
69s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
Size

47KB
MD5

8a71a0b8a6336577edb2f3b859731802
SHA1

b06f83ff23705515c1b0eda30c5758ce7939fda6
SHA256

0054d197aa97e397e40a525f3cde7bdbc5dfa72c898b46f8a0b8778958bc664e
SHA512

5c3f3e94d119dcc9a6b76f2f1748b0ca1e369f4fd00291f6c13a5bf9a44a3bae43ba62b34a70d1037da8734169578eec8a62ec16dd3f4235cf207dbe98af2fd0
SSDEEP

768:ZcpEK+ykB87ri5m5G5aDBMo52bgWvo7B4fcZzNk0ACacXf1umuo6dnpXw5l/bjPW:ZS9667QmcxgWOBE0NacP1u1HXCbjPDzG

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4548	regsvr32.exe
3200	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fixj4.dll	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
File created	C:\Windows\SysWOW64\dllcache\fixj4.dll	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
File created	C:\Windows\SysWOW64\fixja.dll	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3176-8-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3176-14-0x0000000000400000-0x0000000000430000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\fixja.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\fixja.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4548	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	91
PID 3176 wrote to memory of 4548	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	91
PID 3176 wrote to memory of 4548	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	91
PID 3176 wrote to memory of 3200	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	92
PID 3176 wrote to memory of 3200	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	92
PID 3176 wrote to memory of 3200	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	92
PID 3176 wrote to memory of 2304	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	101
PID 3176 wrote to memory of 2304	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	101
PID 3176 wrote to memory of 2304	3176	JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a71a0b8a6336577edb2f3b859731802.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\fixja.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4548
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 fixj4.dll , InstallMyDll
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 375O540.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375O540.bat

Filesize
2KB

MD5
a021e47f114e6ebad07d795de04254b4

SHA1
f5453c8e6661fe1596cae70d3977afe5d5dad331

SHA256
568f2f478e8184a5f6cc4b3c7fd149766aa236d098ef4bd082fb3b9151304001

SHA512
701094d783a421f37f86426214344347b8722ae2e119a66acd1489c9fb8305305a52c7061622985747e79fc01386cfa1f90cee39afc9c2f33000684dd86c700b

Download Submit
C:\Windows\SysWOW64\fixj4.dll

Filesize
108KB

MD5
4accdc42407488bcc135cac5ea67fdf9

SHA1
06ee83ab2d1a15eab4fcf330f9862b887e1ca2ce

SHA256
acf85cca32550e8b5a9737ded0573918b50eb75010151149560a67b90e4bbc37

SHA512
bbfd1f7fabf532957165b9bab6c8707ab52951cce7f4181c2bf089a5cb036639530b690f212816c8382bb847b920069cfd837e2042a4a3dacf16bc64fc2beb8f

Download Submit
C:\Windows\SysWOW64\fixja.dll

Filesize
40KB

MD5
b6743734105b63950fae9f6a40006332

SHA1
e3533f15460b722d4dc90f9b6080f0722409f74d

SHA256
9f75a79708bec05deec98f27338c7d85886638e7f58ba075a5ef8ffe5a820a10

SHA512
afa290ee917283f8c30edd21ad789cb610bc1a80a98b35ea9a2931d097eff57cf8ea7831af21dd0fd813964a2cabfc0b44608d10bf3298005234a19b0fa7c288

Download Submit
memory/3176-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3176-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3176-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download