Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-jry5ea1fqj
Target 195afa00778885adca62389a57ad4aa5_JaffaCakes118
SHA256 d5502cdec6ab7a35589ff99f639ecfe4d357883a010325dc5a84003cca6af1db
Tags
upx persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d5502cdec6ab7a35589ff99f639ecfe4d357883a010325dc5a84003cca6af1db

Threat Level: Shows suspicious behavior

The file 195afa00778885adca62389a57ad4aa5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence vmprotect

VMProtect packed file

UPX packed file

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 07:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 07:54

Reported

2024-06-28 07:57

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gbvgbv06.exe N/A
N/A N/A C:\Windows\SysWOW64\gbvgbv06.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197" C:\Windows\SysWOW64\gbvgbv06.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\comres.dll.ocx C:\Windows\SysWOW64\gbvgbv06.exe N/A
File created C:\Windows\SysWOW64\comres.dll.ocx C:\Windows\SysWOW64\gbvgbv06.exe N/A
File created C:\Windows\SysWOW64\dbr06028.ttf C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gbvgbv06.exe C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gbvgbv06.exe C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\comres.dll C:\Windows\SysWOW64\gbvgbv06.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1560 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 1560 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe C:\Windows\SysWOW64\gbvgbv06.exe
PID 3012 wrote to memory of 2744 N/A C:\Windows\SysWOW64\gbvgbv06.exe C:\Windows\explorer.exe
PID 3012 wrote to memory of 2744 N/A C:\Windows\SysWOW64\gbvgbv06.exe C:\Windows\explorer.exe
PID 3012 wrote to memory of 2744 N/A C:\Windows\SysWOW64\gbvgbv06.exe C:\Windows\explorer.exe
PID 3012 wrote to memory of 2744 N/A C:\Windows\SysWOW64\gbvgbv06.exe C:\Windows\explorer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe"

C:\Windows\SysWOW64\gbvgbv06.exe

C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr06028.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe

C:\Windows\SysWOW64\gbvgbv06.exe

C:\Windows\system32\gbvgbv06.exe C:\Windows\system32\dbr99002.ocx pfjieaoidjglkajd

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/1560-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-9-0x0000000002D50000-0x0000000002D51000-memory.dmp

\Windows\SysWOW64\gbvgbv06.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/1560-17-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2956-23-0x0000000010000000-0x000000001001B000-memory.dmp

\Windows\SysWOW64\dbr06028.ocx

MD5 1a4852e20594095946bc15088bcc92c5
SHA1 25256ac97765e7ad6b73419d91542ab5c8df4139
SHA256 008a0c27d8370c731f3412a691ddcbd5e56f4839d99309f5773a9318440ea0a2
SHA512 fcaefdec748bfe3b0170693e25475a49f76e8c0f80998f12352f4804b23150818764f06191fc96eb0cbe05d80c033b4e194f94e868e591c75f9adc6b3401ec7e

C:\Windows\SysWOW64\dbr99002.ocx

MD5 a05e1fdf1ea6baf0c201bad85452f6a5
SHA1 2c55a2a786fdcbcb9ab6c720472a1f3e91221ffe
SHA256 6d208f6576c7a5caaead5777e4e03ea25d7248d7f0e403edfb7fe3ec2569c13c
SHA512 a31505d445677c69d981261f6124684b5ae0ee26c0104bff1bf27705ac3423e38accb25deecd5dc334391e47583f7f816a2872977dc6746a5c89783b178b8a25

C:\Windows\SysWOW64\dbr06028.ttf

MD5 2b631f94c78ef76f896f270689dbccb8
SHA1 f4eae61b3186df807c72f21607ee1c4479e39b8f
SHA256 86c48b4eb5f6056b2b06c9594e275838695fc557a07fff0402383339bbaddc98
SHA512 1970ac437bb7b288250c9b1a9d8827a120cda69f9ca936eb80ab819e4372ac3a2e1ec630532adf34f1d651f5fb0abd944fb476a143fcadc5acee72c53c4e1bfb

memory/3012-29-0x00000000000C0000-0x00000000000DB000-memory.dmp

memory/3012-34-0x00000000000C0000-0x00000000000DB000-memory.dmp

memory/3012-33-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2956-35-0x0000000010000000-0x000000001001B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 07:54

Reported

2024-06-28 07:57

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\195afa00778885adca62389a57ad4aa5_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4272,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4308-0-0x0000000000400000-0x0000000000420000-memory.dmp