Malware Analysis Report

2025-01-22 12:49

Sample ID 240522-yshldaee4v
Target 6872559f5239153c9a9ab634a5d332d3_JaffaCakes118
SHA256 a8377270486aec3c994de7c2ccd7b53c791ff525ed124a29c4584ecb49ad4938
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a8377270486aec3c994de7c2ccd7b53c791ff525ed124a29c4584ecb49ad4938

Threat Level: Shows suspicious behavior

The file 6872559f5239153c9a9ab634a5d332d3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:02

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:02

Reported

2024-05-22 20:05

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\㶮.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\nvudp.exe C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\㶮.exe

"C:\Users\Admin\AppData\Local\Temp\㶮.exe"

Network

N/A

Files

memory/1364-0-0x0000000000400000-0x0000000000735000-memory.dmp

memory/1364-2-0x0000000000F00000-0x0000000001235000-memory.dmp

memory/1364-3-0x000000000070F000-0x0000000000710000-memory.dmp

memory/1364-1-0x0000000000F00000-0x0000000001235000-memory.dmp

memory/1364-4-0x0000000077F00000-0x0000000077F01000-memory.dmp

memory/1364-5-0x0000000077F00000-0x0000000077F01000-memory.dmp

memory/1364-8-0x0000000076BC0000-0x0000000076BC1000-memory.dmp

memory/1364-10-0x0000000000400000-0x0000000000735000-memory.dmp

memory/1364-15-0x0000000000400000-0x0000000000735000-memory.dmp

memory/1364-16-0x0000000000400000-0x0000000000735000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:02

Reported

2024-05-22 20:05

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\㶮.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\nvudp.exe C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\㶮.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\㶮.exe

"C:\Users\Admin\AppData\Local\Temp\㶮.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3044-0-0x0000000000400000-0x0000000000735000-memory.dmp

memory/3044-1-0x0000000000400000-0x0000000000735000-memory.dmp

memory/3044-3-0x0000000076310000-0x0000000076311000-memory.dmp

C:\Program Files\Internet Explorer\nvudp.exe

MD5 83a513d1c7f655b3587fb25337ccf8c8
SHA1 61a0718316c1064ebe54b3803a48303aad8a533f
SHA256 19174ec8ce1d63609c58455f64f83806c6c7e4c3e412ea92b0175fe48409b75e
SHA512 db273718ffd7ce6123b954767ab999e216f692c7b9d3fcb28c65dcb855df1b33626593a7aadf39cf3d72ff3d99b09dc242e3b7a46281a30fbddb2b67590a9e7b

memory/3044-13-0x00000000772C0000-0x00000000772C1000-memory.dmp

memory/3044-14-0x0000000000400000-0x0000000000735000-memory.dmp