Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-k42lqsxcjg
Target 1177b2c8fa306922217e149e421b4ada_JaffaCakes118
SHA256 e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f

Threat Level: Shows suspicious behavior

The file 1177b2c8fa306922217e149e421b4ada_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Deletes itself

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 09:10

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 09:10

Reported

2024-06-26 09:12

Platform

win7-20240611-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\kkaaya.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kkaaya.exe C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kkaaya.exe C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kkaaya.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"

C:\Windows\SysWOW64\kkaaya.exe

C:\Windows\SysWOW64\kkaaya.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1177B2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 stst2010st.3322.org udp

Files

memory/1408-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1408-1-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\kkaaya.exe

MD5 1177b2c8fa306922217e149e421b4ada
SHA1 b1f3d0ce1c79d18c3566ddd9ba837f55c4f4871f
SHA256 e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f
SHA512 329e73b1132dd72a837d89bb3848e0e946270dbc803b0d1f70be2a76b4761b8cf4b6958b1967b91e69ef1b2fc359754a39ebf68359368e02a3d018ac22a7bef3

memory/2420-4-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1408-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2420-7-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 09:10

Reported

2024-06-26 09:12

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\asmgsq.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\asmgsq.exe C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\asmgsq.exe C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\asmgsq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"

C:\Windows\SysWOW64\asmgsq.exe

C:\Windows\SysWOW64\asmgsq.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1177B2~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 stst2010st.3322.org udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 stst2010st.3322.org udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1140-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1140-1-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1140-2-0x000000000041A000-0x000000000041B000-memory.dmp

C:\Windows\SysWOW64\asmgsq.exe

MD5 1177b2c8fa306922217e149e421b4ada
SHA1 b1f3d0ce1c79d18c3566ddd9ba837f55c4f4871f
SHA256 e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f
SHA512 329e73b1132dd72a837d89bb3848e0e946270dbc803b0d1f70be2a76b4761b8cf4b6958b1967b91e69ef1b2fc359754a39ebf68359368e02a3d018ac22a7bef3

memory/2556-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2556-7-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1140-8-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2556-9-0x0000000000400000-0x000000000042C000-memory.dmp