Malware Analysis Report

2025-01-22 13:05

Sample ID 240626-ejnaqawfml
Target 10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118
SHA256 f51c2657f1bfdc6db9e15289a01c240600648edbae04b5a9dabcc5f88fa826fc
Tags
persistence vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f51c2657f1bfdc6db9e15289a01c240600648edbae04b5a9dabcc5f88fa826fc

Threat Level: Likely malicious

The file 10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence vmprotect

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Unexpected DNS network traffic destination

VMProtect packed file

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 03:58

Reported

2024-06-26 04:00

Platform

win7-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EventNvidaLog\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcore7.dll" C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 202.30.143.11 N/A N/A
Destination IP 67.43.161.211 N/A N/A
Destination IP 202.30.143.11 N/A N/A
Destination IP 67.43.161.211 N/A N/A
Destination IP 202.30.143.11 N/A N/A
Destination IP 67.43.161.221 N/A N/A
Destination IP 72.34.255.211 N/A N/A
Destination IP 203.240.193.11 N/A N/A
Destination IP 67.43.173.8 N/A N/A
Destination IP 67.43.173.8 N/A N/A
Destination IP 67.43.161.221 N/A N/A
Destination IP 203.240.193.11 N/A N/A
Destination IP 67.43.173.7 N/A N/A
Destination IP 67.43.173.7 N/A N/A
Destination IP 67.43.161.221 N/A N/A
Destination IP 203.240.193.11 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\npkcore7.dll C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\npkcore7.dll C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\\259399086.bat

Network

Country Destination Domain Proto
US 8.8.4.4:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 67.43.173.7:53 gom500.dd.blueline.be udp
US 67.43.173.8:53 gom500.dd.blueline.be udp
US 67.43.161.211:53 gom500.dd.blueline.be udp
US 67.43.161.221:53 gom500.dd.blueline.be udp
KR 202.30.143.11:53 gom500.dd.blueline.be udp
KR 203.240.193.11:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.4.4:53 google-public-dns-b.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 72.34.255.211:53 dns1.xfernet.net udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 67.43.161.221:53 dns2.xfernet.net udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
KR 202.30.143.11:53 ns.shinbiro.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
KR 203.240.193.11:53 ns2.shinbiro.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.4.4:53 google-public-dns-b.google.com udp
US 67.43.173.7:53 win100.Jkub.com udp
US 67.43.173.8:53 win100.Jkub.com udp
US 67.43.161.211:53 win100.Jkub.com udp
US 67.43.161.221:53 dns2.xfernet.net udp
KR 202.30.143.11:53 ns.shinbiro.com udp
KR 203.240.193.11:53 ns2.shinbiro.com udp
US 8.8.4.4:53 google-public-dns-b.google.com udp

Files

memory/2944-0-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2944-1-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2944-4-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2944-10-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2944-19-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2944-14-0x0000000010000000-0x000000001006B000-memory.dmp

\??\c:\windows\SysWOW64\npkcore7.dll

MD5 19d211e90d8a49690da4bb89de225f99
SHA1 ac712096a55d22b51a4bf4efd83327adc5b72867
SHA256 7ef9e9b3b746306fc70627838ec5412b9c34937db7ba594ea1801a045d3a4dee
SHA512 18b906e812fe308bce3160a145ec9c6203ccd151f0b9c3138ff76ef66bbba8a0accdac2ad6d51ddf3dfcba713b17b3ea3e3394f3a5fa3874501a7fd6ff7d42e7

memory/2944-29-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259399086.bat

MD5 085b3a62a0845d48276569bb3fc6c1d4
SHA1 8d62fbb69df2fafee83597b8050e9044037b0597
SHA256 34c1edc1bf6374e62849a578b6e4a80c5f8da20dabeb43298a3dd81f7d162364
SHA512 4e754bf5f624be6bab0bdd1def97a8a056c4705b771524dd48d92668b7891edbbd7985cec6e52228e000dd16af2cb91c11e0e853f5728432d450b79a5ced44f7

memory/2596-31-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2596-34-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2944-30-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2596-35-0x0000000000220000-0x0000000000237000-memory.dmp

memory/2596-59-0x0000000010000000-0x000000001006B000-memory.dmp

memory/2596-48-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/2596-46-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/2596-61-0x0000000010000000-0x000000001006B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 03:58

Reported

2024-06-26 04:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AlYacEventDcomRemote\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcoref.dll" C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 67.43.173.7 N/A N/A
Destination IP 67.43.161.211 N/A N/A
Destination IP 67.43.161.221 N/A N/A
Destination IP 202.30.143.11 N/A N/A
Destination IP 203.240.193.11 N/A N/A
Destination IP 67.43.173.8 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\npkcoref.dll C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\npkcoref.dll C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10a5b6e04f322bf30a9807a14177eae5_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240600796.bat

Network

Country Destination Domain Proto
US 8.8.4.4:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 67.43.173.7:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 7.173.43.67.in-addr.arpa udp
US 67.43.173.8:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 8.173.43.67.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 67.43.161.211:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 211.161.43.67.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 67.43.161.221:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 221.161.43.67.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
KR 202.30.143.11:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 11.143.30.202.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
KR 203.240.193.11:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 11.193.240.203.in-addr.arpa udp
US 8.8.8.8:53 gom500.dd.blueline.be udp
US 8.8.8.8:53 gom500.dd.blueline.be udp

Files

memory/1440-0-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1440-1-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1440-4-0x0000000010000000-0x000000001006B000-memory.dmp

memory/1440-11-0x0000000010000000-0x000000001006B000-memory.dmp

memory/1440-14-0x0000000010000000-0x000000001006B000-memory.dmp

memory/1440-19-0x0000000010000000-0x000000001006B000-memory.dmp

C:\Windows\SysWOW64\npkcoref.dll

MD5 19d211e90d8a49690da4bb89de225f99
SHA1 ac712096a55d22b51a4bf4efd83327adc5b72867
SHA256 7ef9e9b3b746306fc70627838ec5412b9c34937db7ba594ea1801a045d3a4dee
SHA512 18b906e812fe308bce3160a145ec9c6203ccd151f0b9c3138ff76ef66bbba8a0accdac2ad6d51ddf3dfcba713b17b3ea3e3394f3a5fa3874501a7fd6ff7d42e7

memory/4916-26-0x0000000010000000-0x000000001006B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240600796.bat

MD5 5f72a8e4075868f61a3c6f1ff7a96e64
SHA1 b23d34fe2ee3b3f602827f61c50b1a93f5627972
SHA256 952acdb3b29668a090aca210d93bdea649558c03ece188aadce5de026a5230e7
SHA512 90aaffa7d4091d1dbd4930572688230e6e48aff70ec16aad169aa01e8db1431e7ee687320c4b4f193c4d65646d8353826fb3dc334c4736d173a358ac7d6ba7ae

memory/1440-25-0x0000000010000000-0x000000001006B000-memory.dmp

memory/1440-24-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4916-28-0x0000000010000000-0x000000001006B000-memory.dmp

memory/4916-31-0x0000000001920000-0x0000000001937000-memory.dmp

memory/4916-56-0x0000000010000000-0x000000001006B000-memory.dmp