Analysis Overview
SHA256
4743370ae2289d8f0f1997879a3eefd5041edd040abfc02aead40e6ef1723655
Threat Level: Shows suspicious behavior
The file 196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:15
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:15
Reported
2024-06-28 08:17
Platform
win7-20231129-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dnfqingc.com | udp |
| US | 8.8.8.8:53 | www.dnfkule.com | udp |
| US | 8.8.8.8:53 | www.dnfnaifen.com | udp |
Files
memory/2196-0-0x0000000000400000-0x00000000007EB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HAE7WEB6\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HAE7WEB6\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
memory/2196-46-0x0000000000400000-0x00000000007EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:15
Reported
2024-06-28 08:17
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\196b2fa364c093343f2f5369fe8e29cf_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dnfnaifen.com | udp |
| US | 8.8.8.8:53 | www.dnfkule.com | udp |
| US | 8.8.8.8:53 | www.dnfqingc.com | udp |
| NL | 52.142.223.178:80 | tcp |
Files
memory/4228-0-0x0000000000400000-0x00000000007EB000-memory.dmp
memory/4228-1-0x0000000000400000-0x00000000007EB000-memory.dmp