Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-an98ts1akf
Target 181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118
SHA256 4bfe00cb88a0091c524cea83a70364d8c3dc02ad6f316a5ad6d3bd3aa59b437a
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4bfe00cb88a0091c524cea83a70364d8c3dc02ad6f316a5ad6d3bd3aa59b437a

Threat Level: Shows suspicious behavior

The file 181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:22

Reported

2024-06-28 00:25

Platform

win7-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DllCache\mshtml.dllQQgmQ C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\DllCache\mshtml.dll C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mshtml.dllQQgmQ C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mshtml.dll.mod C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mshtml.dll.mod C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mshtml.dll C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\QQgmQ.LOG C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system\QQgmQ.LOG C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 132

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQgmQ.LOG

MD5 b6f771f331ddc9f588ce965333ae7471
SHA1 481ac4d69de9c81cdd29b2a0c3b97f8e336fc29d
SHA256 476cb04dd977385caf3333ab59faf68cd3ff153a322639383d167ce7113f8677
SHA512 2534f2b475b79c7ef55f921763720c35c6b152a5876d2a0e5f07624797341656353d4486270627aac84a667190b692488c9f74d55e98bb99528f73b4999a40cb

memory/2424-12-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:22

Reported

2024-06-28 00:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 284

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/4128-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4128-1-0x0000000000400000-0x000000000041A000-memory.dmp