Analysis Overview
SHA256
4bfe00cb88a0091c524cea83a70364d8c3dc02ad6f316a5ad6d3bd3aa59b437a
Threat Level: Shows suspicious behavior
The file 181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Drops file in System32 directory
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:22
Reported
2024-06-28 00:25
Platform
win7-20240611-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\DllCache\mshtml.dllQQgmQ | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DllCache\mshtml.dll | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mshtml.dllQQgmQ | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mshtml.dll.mod | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mshtml.dll.mod | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mshtml.dll | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\QQgmQ.LOG | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\QQgmQ.LOG | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2424 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2424 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2424 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 132
Network
Files
memory/2424-0-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQgmQ.LOG
| MD5 | b6f771f331ddc9f588ce965333ae7471 |
| SHA1 | 481ac4d69de9c81cdd29b2a0c3b97f8e336fc29d |
| SHA256 | 476cb04dd977385caf3333ab59faf68cd3ff153a322639383d167ce7113f8677 |
| SHA512 | 2534f2b475b79c7ef55f921763720c35c6b152a5876d2a0e5f07624797341656353d4486270627aac84a667190b692488c9f74d55e98bb99528f73b4999a40cb |
memory/2424-12-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:22
Reported
2024-06-28 00:25
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\181974da9b663ddeb457f5e3bfd1ae03_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4128 -ip 4128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 284
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp |
Files
memory/4128-0-0x0000000000400000-0x000000000041A000-memory.dmp
memory/4128-1-0x0000000000400000-0x000000000041A000-memory.dmp