Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-flypxasdnd
Target 18db4def8cf842a587434c88a510ff5c_JaffaCakes118
SHA256 951ef36043f2a9addaf729c12f13a4a54b3f05f7920bd6355baee812a180834e
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

951ef36043f2a9addaf729c12f13a4a54b3f05f7920bd6355baee812a180834e

Threat Level: Likely malicious

The file 18db4def8cf842a587434c88a510ff5c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Server Software Component: Terminal Services DLL

VMProtect packed file

Deletes itself

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 04:58

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 04:58

Reported

2024-06-28 05:00

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wind0ws\Parameters\ServiceDll = "C:\\Documents and Settings\\Local Server\\Windows.dll" C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FuckYou.txt C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im ZhuDongFangYu.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp

Files

memory/2136-1-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2136-0-0x0000000000400000-0x000000000044E000-memory.dmp

\Users\Local Server\Windows.dll

MD5 80a4c5145515fa4598a79b0eee864054
SHA1 1320f79b650f9f4942292971cff5abef3ccebdb6
SHA256 3307b3c7effb5d3154e40a6ea6525ffa06ca5f729cbf637ad421989b36f35c7c
SHA512 30281ea275de444c18a35e770b9c2b0c245ece2060880a855b08d21a2dd5e558eabfef6a26c5889160ebb2b6af5b9f9fada583b93131fec4d2b29979f4abf941

memory/2656-6-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2136-4-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 04:58

Reported

2024-06-28 05:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wind0ws\Parameters\ServiceDll = "C:\\Documents and Settings\\Local Server\\Windows.dll" C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FuckYou.txt C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im ZhuDongFangYu.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp
N/A 127.0.0.1:2010 tcp

Files

memory/3156-0-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3156-1-0x0000000000400000-0x000000000044E000-memory.dmp

\??\c:\documents and settings\local server\windows.dll

MD5 80a4c5145515fa4598a79b0eee864054
SHA1 1320f79b650f9f4942292971cff5abef3ccebdb6
SHA256 3307b3c7effb5d3154e40a6ea6525ffa06ca5f729cbf637ad421989b36f35c7c
SHA512 30281ea275de444c18a35e770b9c2b0c245ece2060880a855b08d21a2dd5e558eabfef6a26c5889160ebb2b6af5b9f9fada583b93131fec4d2b29979f4abf941

memory/4268-6-0x0000000010000000-0x000000001001E000-memory.dmp

memory/3156-5-0x0000000000400000-0x000000000044E000-memory.dmp