Malware Analysis Report

2025-03-15 06:00

Sample ID 240512-hy369shd33
Target 38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118
SHA256 04b94dba59c5ac11f0b7906c7b6aaf8c5bffa1a12274b408848f068ee98aa36e
Tags
persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

04b94dba59c5ac11f0b7906c7b6aaf8c5bffa1a12274b408848f068ee98aa36e

Threat Level: Shows suspicious behavior

The file 38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence vmprotect

Checks computer location settings

Loads dropped DLL

VMProtect packed file

Deletes itself

Modifies WinLogon

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 07:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 07:09

Reported

2024-05-12 07:12

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\systemp C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sfcos.dll C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sfcos.dll C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe"

C:\Windows\SysWOW64\sfc.exe

"C:\Windows\system32\sfc.exe" /REVERT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\del.bat

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\system32\s2am.ime,Runed

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp

Files

C:\4CA9.tmp

MD5 19274b0dd9206e22301bf53fc48cfd0c
SHA1 bdd1d5d153225c4df3e64ffc1410e44e0888dcd1
SHA256 c2832a8b383a4124d24b43c759d208fb0033ef100c673ae4cc2d0a849ce5d579
SHA512 9bfbcfaee960b48e45cb98212824c0215ce912385845aed483e7bf83f3a3a7beee7097f1ea367c1411f95e9e4a34ba790875ad56f63959fab543820a111594c6

\??\c:\del.bat

MD5 a58e2bb3a1bfbc496abaae2463160eff
SHA1 caf5f0c44092423f27f0dbf7787f8f60ccfacd0c
SHA256 c1fb7ff7b76a50a8cd7844dd47b5ee1edb18227e8822bba10f6e258e916746c9
SHA512 f6ee6d3e2d17a7e44ad3977cb5698ae8cb72782cd94c542a3d358686f92e451452a4b0be52fd8c87cfddc4db8d4380cbad04bba5d349b65dbf3c786ffa7a96e7

C:\Windows\SysWOW64\sfcos.dll

MD5 98c499fccb739ab23b75c0d8b98e0481
SHA1 0ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256 d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA512 9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

C:\Windows\SysWOW64\systemp

MD5 802dba44441c9495d9d26f262f76185c
SHA1 fd89315ee2314e4eb660d0614beddddcfec3bcac
SHA256 a7acee89603310d54dd2388af538081e8f80bb818069a2c0d0a2311420f540cc
SHA512 b3e6fe6ccedd48407cdfd2252ed396155a0f1d80383daf92f12ae9112440bb30d33dc04f19d84fc64b769915f78662b2e574e8f6fb2af2b2e8192d6c855ca6c4

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 07:09

Reported

2024-05-12 07:12

Platform

win7-20231129-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sfcos.dll C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sfcos.dll C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\systemp C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\sfc.exe
PID 624 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\sfc.exe
PID 624 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\sfc.exe
PID 624 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\sfc.exe
PID 624 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\38e087fdb9c83b2cad8bee57db176c7a_JaffaCakes118.exe"

C:\Windows\SysWOW64\sfc.exe

"C:\Windows\system32\sfc.exe" /REVERT

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\del.bat

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\system32\s2am.ime,Runed

Network

N/A

Files

C:\FC9.tmp

MD5 2b83bb7b93d407108c2592d73b3f5812
SHA1 219df43503338f2bff17914f6f70c889502bc112
SHA256 7020191cfe68d459bb2db5dc1bc04e9450bb93fed436c00707be37dd5615e125
SHA512 b893e37b8bb0d9af99f38389ce76be5a9a6b10e291a722972d8df3f97f25f2bb1c4534386439da893516c2e0b6f249add9a07a6e075376245b085e8cd3f57e8c

C:\del.bat

MD5 a58e2bb3a1bfbc496abaae2463160eff
SHA1 caf5f0c44092423f27f0dbf7787f8f60ccfacd0c
SHA256 c1fb7ff7b76a50a8cd7844dd47b5ee1edb18227e8822bba10f6e258e916746c9
SHA512 f6ee6d3e2d17a7e44ad3977cb5698ae8cb72782cd94c542a3d358686f92e451452a4b0be52fd8c87cfddc4db8d4380cbad04bba5d349b65dbf3c786ffa7a96e7

C:\Windows\SysWOW64\sfcos.dll

MD5 84799328d87b3091a3bdd251e1ad31f9
SHA1 64dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256 f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA512 0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

C:\Windows\SysWOW64\systemp

MD5 802dba44441c9495d9d26f262f76185c
SHA1 fd89315ee2314e4eb660d0614beddddcfec3bcac
SHA256 a7acee89603310d54dd2388af538081e8f80bb818069a2c0d0a2311420f540cc
SHA512 b3e6fe6ccedd48407cdfd2252ed396155a0f1d80383daf92f12ae9112440bb30d33dc04f19d84fc64b769915f78662b2e574e8f6fb2af2b2e8192d6c855ca6c4