Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-bv4v3awdrq
Target 184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118
SHA256 5c037109544d08cabdab59e2b7bc3edd8d5f80ff0326e63162d14f020421e7c7
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5c037109544d08cabdab59e2b7bc3edd8d5f80ff0326e63162d14f020421e7c7

Threat Level: Likely malicious

The file 184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Drops file in Drivers directory

VMProtect packed file

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:28

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:28

Reported

2024-06-28 01:31

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\beep.sys C:\Windows\SysWOW64\regedit32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\regedit32.exe C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit32.exe C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\regedit32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\regedit32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\regedit32.exe
PID 3056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\regedit32.exe
PID 3056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\regedit32.exe
PID 3056 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\regedit32.exe
PID 3056 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2128 N/A C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2128 N/A C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2128 N/A C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2128 N/A C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe"

C:\Windows\SysWOW64\regedit32.exe

"C:\Windows\system32\regedit32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\184B08~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\REGEDI~1.EXE > nul

Network

N/A

Files

memory/3056-1-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-0-0x0000000000400000-0x000000000045A000-memory.dmp

\Windows\SysWOW64\regedit32.exe

MD5 184b08f29f6457fdd92e22f7c0d957f5
SHA1 c0d5d0ea54377810c8dfd15e3a3d120908fb2d31
SHA256 5c037109544d08cabdab59e2b7bc3edd8d5f80ff0326e63162d14f020421e7c7
SHA512 37721664b98dc952a22385797ba07a37796dcbbd319fa42fa1df1bb580df14d83e65ccc77b0bd26e39ebfbbb13f6e7b8a748f7c338393b2e243a35c52b8b2241

memory/3056-8-0x00000000002D0000-0x000000000032A000-memory.dmp

memory/3056-14-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1196-16-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\SysWOW64\drivers\beep.sys

MD5 0e1d8c703b0b083560b95cd93b45c146
SHA1 a1cb6b878445a2417ddd35d927255432eb5074e2
SHA256 d0130627ab480faff1d9a67856f074c1232c7b19ff25dc951c18bb0afdde482b
SHA512 ad0e0dbb4dd7cd9783dda6d91fc2be3d1c8091abdf27f3abb2a0325e1e10de0a452f11090ceb016c303c60b77ad4cf9c52ba74ba72f875f9c3ba565934bdcfde

memory/1196-21-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 01:28

Reported

2024-06-28 01:31

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\beep.sys C:\Windows\SysWOW64\regedit32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\regedit32.exe C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit32.exe C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\regedit32.exe C:\Windows\SysWOW64\regedit32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit32.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\regedit32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\184b08f29f6457fdd92e22f7c0d957f5_JaffaCakes118.exe"

C:\Windows\SysWOW64\regedit32.exe

"C:\Windows\system32\regedit32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\184B08~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\REGEDI~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3904-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3904-1-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\SysWOW64\regedit32.exe

MD5 184b08f29f6457fdd92e22f7c0d957f5
SHA1 c0d5d0ea54377810c8dfd15e3a3d120908fb2d31
SHA256 5c037109544d08cabdab59e2b7bc3edd8d5f80ff0326e63162d14f020421e7c7
SHA512 37721664b98dc952a22385797ba07a37796dcbbd319fa42fa1df1bb580df14d83e65ccc77b0bd26e39ebfbbb13f6e7b8a748f7c338393b2e243a35c52b8b2241

C:\Windows\SysWOW64\drivers\beep.sys

MD5 0e1d8c703b0b083560b95cd93b45c146
SHA1 a1cb6b878445a2417ddd35d927255432eb5074e2
SHA256 d0130627ab480faff1d9a67856f074c1232c7b19ff25dc951c18bb0afdde482b
SHA512 ad0e0dbb4dd7cd9783dda6d91fc2be3d1c8091abdf27f3abb2a0325e1e10de0a452f11090ceb016c303c60b77ad4cf9c52ba74ba72f875f9c3ba565934bdcfde

memory/2848-11-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3904-10-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2848-16-0x0000000000400000-0x000000000045A000-memory.dmp