Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-c43j2azbjp
Target 187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118
SHA256 da7a728eb05ab3dbb399e48b3a187fe56cead389e2d497f980563d5a796f845e
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

da7a728eb05ab3dbb399e48b3a187fe56cead389e2d497f980563d5a796f845e

Threat Level: Shows suspicious behavior

The file 187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 02:38

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 02:38

Reported

2024-06-28 02:41

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ope43E0.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ope43E0.exe

"C:\Users\Admin\AppData\Local\Temp\ope43E0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3184-0-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ope43E0.exe

MD5 722a247acb86960a708528120759266d
SHA1 a859b7173fb0b1786be07b01f779725edf9043e7
SHA256 8e9cbea79e50d3b861f347f25dffd307eb3eec658ed94898e4ad2888772f4e8f
SHA512 f9c54b4b1ab47d31543b8c9731dbcb868bc47c9727f794b088290bd533d01f515eaa81eefbd55a3acbd0e0f2696f78e5caa6fa1c5da993f30b61a1f0212d3738

memory/3184-12-0x0000000000400000-0x00000000004CD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 02:38

Reported

2024-06-28 02:41

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ope21B5.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\187cbbb551217eedb4de9bcd3fe4dfdf_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\ope21B5.exe

"C:\Users\Admin\AppData\Local\Temp\ope21B5.exe"

Network

N/A

Files

memory/2408-0-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2408-2-0x0000000002C90000-0x0000000002C92000-memory.dmp

memory/2884-3-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2884-5-0x0000000000350000-0x0000000000351000-memory.dmp

\Users\Admin\AppData\Local\Temp\ope21B5.exe

MD5 722a247acb86960a708528120759266d
SHA1 a859b7173fb0b1786be07b01f779725edf9043e7
SHA256 8e9cbea79e50d3b861f347f25dffd307eb3eec658ed94898e4ad2888772f4e8f
SHA512 f9c54b4b1ab47d31543b8c9731dbcb868bc47c9727f794b088290bd533d01f515eaa81eefbd55a3acbd0e0f2696f78e5caa6fa1c5da993f30b61a1f0212d3738

memory/2408-13-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ope20F8.jpg

MD5 00566379ddee1cfd4fbe8b4961f5fef3
SHA1 e76b5f4a5e9396ec2c5c1263592821197673359d
SHA256 52801e9d690e30374b0e2ea19bcd8786756725b18427aea76c2ec9a4f6af0f7e
SHA512 ce68ca7d59a1b64dba3be543adfec456f3ef0bb46a0d23d93310c9425965f299b409cddd76311ae3390b44943c7dc973f574323246cff383cde43ce5a424ea24

memory/2884-16-0x0000000000350000-0x0000000000351000-memory.dmp