Malware Analysis Report

2025-03-15 05:54

Sample ID 240628-j5mzasscpn
Target 196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118
SHA256 4743370ae2289d8f0f1997879a3eefd5041edd040abfc02aead40e6ef1723655
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4743370ae2289d8f0f1997879a3eefd5041edd040abfc02aead40e6ef1723655

Threat Level: Shows suspicious behavior

The file 196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:15

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:15

Reported

2024-06-28 08:17

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnfqingc.com udp
US 8.8.8.8:53 www.dnfkule.com udp
US 8.8.8.8:53 www.dnfnaifen.com udp

Files

memory/2196-0-0x0000000000400000-0x00000000007EB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HAE7WEB6\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HAE7WEB6\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

memory/2196-46-0x0000000000400000-0x00000000007EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:15

Reported

2024-06-28 08:17

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dnfnaifen.com udp
US 8.8.8.8:53 www.dnfkule.com udp
US 8.8.8.8:53 www.dnfqingc.com udp
NL 52.142.223.178:80 tcp

Files

memory/4228-0-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/4228-1-0x0000000000400000-0x00000000007EB000-memory.dmp