Malware Analysis Report

2025-03-15 05:54

Sample ID 240628-mwkz5axhpl
Target 19d72b9e82795b7800184cc46f6ca059_JaffaCakes118
SHA256 b81928d1c2798d60871b08daef41832e3748d29dfd1164d9082773d2c9f0f499
Tags
vmprotect persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b81928d1c2798d60871b08daef41832e3748d29dfd1164d9082773d2c9f0f499

Threat Level: Shows suspicious behavior

The file 19d72b9e82795b7800184cc46f6ca059_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect persistence

VMProtect packed file

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 10:48

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 10:48

Reported

2024-06-28 10:51

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "\\Users\\Admin\\AppData\\Local\\Temp\\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\run.cmd C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\windows\system32\run.cmd

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe" /f

Network

N/A

Files

memory/1056-0-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1056-1-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1056-3-0x0000000002170000-0x00000000021ED000-memory.dmp

C:\Windows\SysWOW64\run.cmd

MD5 bfc901345848e76472d3f15ca5520b71
SHA1 813b04bd0c23878a66e7ecfe6775972637c7ec31
SHA256 4ef38305421e609f2c20406eac2fb165a9f87fada4e34211d4fc9371f50a301c
SHA512 fa9519f84afc531f5323560c3d8ed81390477a6a931b9038406a3264a32c332d516979381137151ce60276e1aa5e836678ef23a07cc2a8aedd580c1d99e15c9d

memory/1056-12-0x0000000000400000-0x00000000005F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 10:48

Reported

2024-06-28 10:51

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "\\Users\\Admin\\AppData\\Local\\Temp\\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\run.cmd C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\windows\system32\run.cmd

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "\Users\Admin\AppData\Local\Temp\19d72b9e82795b7800184cc46f6ca059_JaffaCakes118.exe" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/568-0-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/568-1-0x000000000054F000-0x0000000000550000-memory.dmp

memory/568-2-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/568-4-0x0000000000400000-0x00000000005F0000-memory.dmp

C:\windows\SysWOW64\run.cmd

MD5 bfc901345848e76472d3f15ca5520b71
SHA1 813b04bd0c23878a66e7ecfe6775972637c7ec31
SHA256 4ef38305421e609f2c20406eac2fb165a9f87fada4e34211d4fc9371f50a301c
SHA512 fa9519f84afc531f5323560c3d8ed81390477a6a931b9038406a3264a32c332d516979381137151ce60276e1aa5e836678ef23a07cc2a8aedd580c1d99e15c9d

memory/568-8-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/568-9-0x0000000000400000-0x00000000005F0000-memory.dmp