Analysis Overview
SHA256
e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f
Threat Level: Shows suspicious behavior
The file 1177b2c8fa306922217e149e421b4ada_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Deletes itself
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 09:10
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 09:10
Reported
2024-06-26 09:12
Platform
win7-20240611-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\kkaaya.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\kkaaya.exe | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kkaaya.exe | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\kkaaya.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1408 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1408 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1408 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1408 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"
C:\Windows\SysWOW64\kkaaya.exe
C:\Windows\SysWOW64\kkaaya.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1177B2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
Files
memory/1408-0-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1408-1-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\SysWOW64\kkaaya.exe
| MD5 | 1177b2c8fa306922217e149e421b4ada |
| SHA1 | b1f3d0ce1c79d18c3566ddd9ba837f55c4f4871f |
| SHA256 | e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f |
| SHA512 | 329e73b1132dd72a837d89bb3848e0e946270dbc803b0d1f70be2a76b4761b8cf4b6958b1967b91e69ef1b2fc359754a39ebf68359368e02a3d018ac22a7bef3 |
memory/2420-4-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1408-6-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2420-7-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 09:10
Reported
2024-06-26 09:12
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\asmgsq.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\asmgsq.exe | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\asmgsq.exe | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\asmgsq.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1140 wrote to memory of 788 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1140 wrote to memory of 788 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1140 wrote to memory of 788 | N/A | C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1177b2c8fa306922217e149e421b4ada_JaffaCakes118.exe"
C:\Windows\SysWOW64\asmgsq.exe
C:\Windows\SysWOW64\asmgsq.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1177B2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | stst2010st.3322.org | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/1140-0-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1140-1-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1140-2-0x000000000041A000-0x000000000041B000-memory.dmp
C:\Windows\SysWOW64\asmgsq.exe
| MD5 | 1177b2c8fa306922217e149e421b4ada |
| SHA1 | b1f3d0ce1c79d18c3566ddd9ba837f55c4f4871f |
| SHA256 | e7c0221f75428b89a4f575c70e13de01027622efc699c6ec03179c62e11c5e4f |
| SHA512 | 329e73b1132dd72a837d89bb3848e0e946270dbc803b0d1f70be2a76b4761b8cf4b6958b1967b91e69ef1b2fc359754a39ebf68359368e02a3d018ac22a7bef3 |
memory/2556-6-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2556-7-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1140-8-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2556-9-0x0000000000400000-0x000000000042C000-memory.dmp