Malware Analysis Report

2025-01-22 12:57

Sample ID 240626-czwkxszbpe
Target 106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118
SHA256 1cfff47d1fb027157794db2476f16d719d723ed48a92e9c9c7325a14be9a545d
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1cfff47d1fb027157794db2476f16d719d723ed48a92e9c9c7325a14be9a545d

Threat Level: Shows suspicious behavior

The file 106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

Executes dropped EXE

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 02:31

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 02:31

Reported

2024-06-26 02:33

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\zd.dat N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\zd.dat C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A
N/A N/A C:\Windows\zd.dat N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\zd.dat N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\zd.dat N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\zd.dat N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\zd.dat N/A

Processes

C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe"

C:\Windows\zd.dat

C:\Windows\zd.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.027dj.com udp

Files

memory/2336-0-0x0000000000400000-0x00000000008D9000-memory.dmp

memory/2336-1-0x0000000000400000-0x00000000008D9000-memory.dmp

C:\Windows\zd.dat

MD5 532930ab497d81951fcf36cd42980b7a
SHA1 be042fa0a21b52b7c9abb9c830799c6455c41293
SHA256 feb65c5ccd31f9e33496b9c62672c6750023bf4f1155d1e0dc3a7cc2fc37e68d
SHA512 b7e238de244d5637d99cd0b43059e0ef96c4d07cbd61c3c638580d254144513b7224022d8bcddaeddb9e20a6665cc0bec0f228b0c82f42eaf99ac1942b10d7fa

memory/2336-11-0x0000000004290000-0x000000000445A000-memory.dmp

memory/2168-10-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2336-9-0x0000000004290000-0x000000000445A000-memory.dmp

memory/2168-22-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-21-0x0000000000409000-0x000000000040A000-memory.dmp

memory/2336-33-0x0000000000400000-0x00000000008D9000-memory.dmp

memory/2336-34-0x0000000004290000-0x000000000445A000-memory.dmp

memory/2168-35-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-36-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-37-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-38-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-39-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-40-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-41-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-42-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-43-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-44-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-45-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-46-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-47-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-48-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2168-49-0x0000000000400000-0x00000000005CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 02:31

Reported

2024-06-26 02:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\zd.dat N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\zd.dat C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\106cd6e97c029d7a6424f6ccf8dc4635_JaffaCakes118.exe"

C:\Windows\zd.dat

C:\Windows\zd.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.027dj.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3224-0-0x0000000000400000-0x00000000008D9000-memory.dmp

memory/3224-2-0x0000000000400000-0x00000000008D9000-memory.dmp

C:\Windows\zd.dat

MD5 532930ab497d81951fcf36cd42980b7a
SHA1 be042fa0a21b52b7c9abb9c830799c6455c41293
SHA256 feb65c5ccd31f9e33496b9c62672c6750023bf4f1155d1e0dc3a7cc2fc37e68d
SHA512 b7e238de244d5637d99cd0b43059e0ef96c4d07cbd61c3c638580d254144513b7224022d8bcddaeddb9e20a6665cc0bec0f228b0c82f42eaf99ac1942b10d7fa

memory/2864-7-0x0000000000400000-0x00000000005CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575e33.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

C:\Users\Admin\AppData\Local\Temp\e575e35.tmp

MD5 f6b847a54cfb804a25b8842b45fd1d50
SHA1 bb22fef07ce1577c8a7fa057d8cf05502c013bfc
SHA256 5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583
SHA512 dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

C:\Users\Admin\AppData\Local\Temp\e575e34.tmp

MD5 5870ea0d6ba8dd6e2008466bdd00e0f4
SHA1 d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5
SHA256 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d
SHA512 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

memory/2864-97-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/3224-99-0x0000000000400000-0x00000000008D9000-memory.dmp