Analysis Overview
SHA256
cae3362449069b70eb6f1e00b340f5f2625bf4f101ffdbdd6fc985f630749331
Threat Level: Shows suspicious behavior
The file 19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
VMProtect packed file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 09:36
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 09:36
Reported
2024-06-28 09:38
Platform
win7-20240508-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SkinH_EL.dll | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wghai.com | udp |
| US | 8.8.8.8:53 | user.qzone.qq.com | udp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| US | 199.59.243.226:80 | www.wghai.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | qzonestyle.gtimg.cn | udp |
| CN | 211.97.92.163:443 | qzonestyle.gtimg.cn | tcp |
| CN | 211.97.92.163:443 | qzonestyle.gtimg.cn | tcp |
| CN | 1.62.64.113:443 | qzonestyle.gtimg.cn | tcp |
| CN | 1.62.64.113:443 | qzonestyle.gtimg.cn | tcp |
| HK | 203.205.136.80:443 | qzonestyle.gtimg.cn | tcp |
| HK | 203.205.136.80:443 | qzonestyle.gtimg.cn | tcp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| GB | 163.181.57.244:80 | ocsp.digicert.cn | tcp |
| GB | 163.181.57.244:80 | ocsp.digicert.cn | tcp |
| US | 8.8.8.8:53 | h5.qzone.qq.com | udp |
| HK | 43.129.115.16:443 | h5.qzone.qq.com | tcp |
Files
memory/3008-0-0x0000000000400000-0x0000000000D00000-memory.dmp
memory/3008-1-0x0000000000400000-0x0000000000D00000-memory.dmp
\Windows\SysWOW64\SkinH_EL.dll
| MD5 | bd42ef63fc0f79fdaaeca95d62a96bbb |
| SHA1 | 97ca8ccb0e6f7ffeb05dc441b2427feb0b634033 |
| SHA256 | 573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48 |
| SHA512 | 431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c |
memory/3008-43-0x0000000000400000-0x0000000000D00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 09:36
Reported
2024-06-28 09:38
Platform
win10v2004-20240611-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SkinH_EL.dll | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4168,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | user.qzone.qq.com | udp |
| US | 8.8.8.8:53 | www.wghai.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 199.59.243.226:80 | www.wghai.com | tcp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.115.129.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1036-0-0x0000000000400000-0x0000000000D00000-memory.dmp
memory/1036-1-0x0000000000400000-0x0000000000D00000-memory.dmp
C:\Windows\SysWOW64\SkinH_EL.dll
| MD5 | bd42ef63fc0f79fdaaeca95d62a96bbb |
| SHA1 | 97ca8ccb0e6f7ffeb05dc441b2427feb0b634033 |
| SHA256 | 573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48 |
| SHA512 | 431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c |
memory/1036-22-0x0000000000400000-0x0000000000D00000-memory.dmp