Analysis Overview
SHA256
399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2
Threat Level: Shows suspicious behavior
The file 11685dce1e91f778788830d7eece48de_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
VMProtect packed file
Deletes itself
Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 08:46
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 08:46
Reported
2024-06-26 08:49
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2668 set thread context of 2512 | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\Aqnticivei.exe
"C:\Program Files\Internet Explorer\Aqnticivei.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\11685D~1.EXE > nul
C:\Program Files\Internet Explorer\Aqnticivei.exe
"C:\Program Files\Internet Explorer\Aqnticivei.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
Network
Files
memory/2180-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2180-3-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Program Files\Internet Explorer\Aqnticivei.exe
| MD5 | 11685dce1e91f778788830d7eece48de |
| SHA1 | 9843a1f12e6b9026b1da5a0f31198c081ec7c45e |
| SHA256 | 399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2 |
| SHA512 | 68393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc |
memory/2180-12-0x0000000000230000-0x0000000000254000-memory.dmp
memory/2724-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2180-11-0x0000000000230000-0x0000000000254000-memory.dmp
memory/2724-14-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2180-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2668-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2724-19-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2512-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2512-23-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2668-26-0x0000000000400000-0x0000000000424000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 08:46
Reported
2024-06-26 08:49
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 1816 | N/A | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\Aqnticivei.exe | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\Aqnticivei.exe
"C:\Program Files\Internet Explorer\Aqnticivei.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\11685D~1.EXE > nul
C:\Program Files\Internet Explorer\Aqnticivei.exe
"C:\Program Files\Internet Explorer\Aqnticivei.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 12
Network
Files
memory/2796-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2796-1-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Program Files\Internet Explorer\Aqnticivei.exe
| MD5 | 11685dce1e91f778788830d7eece48de |
| SHA1 | 9843a1f12e6b9026b1da5a0f31198c081ec7c45e |
| SHA256 | 399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2 |
| SHA512 | 68393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc |
memory/2000-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2796-6-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2000-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/540-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2000-12-0x0000000000400000-0x0000000000424000-memory.dmp
memory/540-14-0x0000000000400000-0x0000000000424000-memory.dmp