Malware Analysis Report

2025-03-15 05:54

Sample ID 240628-lkxn4svglk
Target 19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118
SHA256 cae3362449069b70eb6f1e00b340f5f2625bf4f101ffdbdd6fc985f630749331
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cae3362449069b70eb6f1e00b340f5f2625bf4f101ffdbdd6fc985f630749331

Threat Level: Shows suspicious behavior

The file 19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Loads dropped DLL

VMProtect packed file

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 09:36

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 09:36

Reported

2024-06-28 09:38

Platform

win7-20240508-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SkinH_EL.dll C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wghai.com udp
US 8.8.8.8:53 user.qzone.qq.com udp
HK 43.129.115.16:80 user.qzone.qq.com tcp
US 199.59.243.226:80 www.wghai.com tcp
HK 43.129.115.16:443 user.qzone.qq.com tcp
US 8.8.8.8:53 qzonestyle.gtimg.cn udp
CN 211.97.92.163:443 qzonestyle.gtimg.cn tcp
CN 211.97.92.163:443 qzonestyle.gtimg.cn tcp
CN 1.62.64.113:443 qzonestyle.gtimg.cn tcp
CN 1.62.64.113:443 qzonestyle.gtimg.cn tcp
HK 203.205.136.80:443 qzonestyle.gtimg.cn tcp
HK 203.205.136.80:443 qzonestyle.gtimg.cn tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 h5.qzone.qq.com udp
HK 43.129.115.16:443 h5.qzone.qq.com tcp

Files

memory/3008-0-0x0000000000400000-0x0000000000D00000-memory.dmp

memory/3008-1-0x0000000000400000-0x0000000000D00000-memory.dmp

\Windows\SysWOW64\SkinH_EL.dll

MD5 bd42ef63fc0f79fdaaeca95d62a96bbb
SHA1 97ca8ccb0e6f7ffeb05dc441b2427feb0b634033
SHA256 573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48
SHA512 431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c

memory/3008-43-0x0000000000400000-0x0000000000D00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 09:36

Reported

2024-06-28 09:38

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SkinH_EL.dll C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19a5ff0807e730ef9a9f8b22722da90d_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4168,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 user.qzone.qq.com udp
US 8.8.8.8:53 www.wghai.com udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
HK 43.129.115.16:80 user.qzone.qq.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 199.59.243.226:80 www.wghai.com tcp
BE 88.221.83.218:443 www.bing.com tcp
HK 43.129.115.16:443 user.qzone.qq.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 16.115.129.43.in-addr.arpa udp
US 8.8.8.8:53 218.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1036-0-0x0000000000400000-0x0000000000D00000-memory.dmp

memory/1036-1-0x0000000000400000-0x0000000000D00000-memory.dmp

C:\Windows\SysWOW64\SkinH_EL.dll

MD5 bd42ef63fc0f79fdaaeca95d62a96bbb
SHA1 97ca8ccb0e6f7ffeb05dc441b2427feb0b634033
SHA256 573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48
SHA512 431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c

memory/1036-22-0x0000000000400000-0x0000000000D00000-memory.dmp