Malware Analysis Report

2025-03-15 05:53

Sample ID 240628-p27r7atark
Target 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118
SHA256 ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838

Threat Level: Shows suspicious behavior

The file 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 12:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 12:50

Reported

2024-06-28 12:53

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\an.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 3024 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 3024 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 3024 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 2076 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 2076 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 2076 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 2076 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\\21.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\\an.exe"

C:\Users\Admin\AppData\Local\Temp\21.exe

C:\Users\Admin\AppData\Local\Temp\\21.exe

C:\Users\Admin\AppData\Local\Temp\an.exe

C:\Users\Admin\AppData\Local\Temp\\an.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 abc.dnfdashen.com udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 pss.bdstatic.com udp
US 8.8.8.8:53 hectorstatic.baidu.com udp

Files

memory/2992-2-0x0000000000400000-0x00000000004CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\an.exe

MD5 26618be6175e6ed1cc028978ba151495
SHA1 cb8b553bcffcb51bdce08ca3dca3200a8c8bcaec
SHA256 65c2c9086008da3d00e9574cdb9f7415e3f4f105d931531e65a89df63db0099f
SHA512 7d4bc1890f92065c84b60ab6bb48729d9730eef7a39ee937150582617bc3ed630e0fee9e350d6f3ef7b9032d11821b455c64d775b518b9eebd41446e1f097546

memory/3024-12-0x0000000002390000-0x0000000002575000-memory.dmp

memory/2552-14-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/3024-13-0x0000000002390000-0x0000000002575000-memory.dmp

memory/2520-10-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21.exe

MD5 3411daacd28adcc3e8777df9f0e55b68
SHA1 f3caa6baf64a8c83d0c46a4d6df1e603911f9852
SHA256 41b5098d4d30c6888f70ccfb03c92595ffb846a87a00b7a202e8e7c0fe029e23
SHA512 e1888ad1e9e53bd148b47d498a62172a13752e61beebfcc74f0e7eb2f29037a72487937ce84d29b02bd7692f2afd606ca803fbd36873ae3a73e05e2e2430f730

memory/2552-15-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2552-32-0x0000000000400000-0x00000000005E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 12:50

Reported

2024-06-28 12:53

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\an.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21.exe
PID 3640 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 3640 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe
PID 3640 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\an.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\\21.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\\an.exe"

C:\Users\Admin\AppData\Local\Temp\an.exe

C:\Users\Admin\AppData\Local\Temp\\an.exe

C:\Users\Admin\AppData\Local\Temp\21.exe

C:\Users\Admin\AppData\Local\Temp\\21.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 abc.dnfdashen.com udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
HK 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 188.47.235.103.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2500-2-0x0000000000400000-0x00000000004CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21.exe

MD5 3411daacd28adcc3e8777df9f0e55b68
SHA1 f3caa6baf64a8c83d0c46a4d6df1e603911f9852
SHA256 41b5098d4d30c6888f70ccfb03c92595ffb846a87a00b7a202e8e7c0fe029e23
SHA512 e1888ad1e9e53bd148b47d498a62172a13752e61beebfcc74f0e7eb2f29037a72487937ce84d29b02bd7692f2afd606ca803fbd36873ae3a73e05e2e2430f730

C:\Users\Admin\AppData\Local\Temp\an.exe

MD5 26618be6175e6ed1cc028978ba151495
SHA1 cb8b553bcffcb51bdce08ca3dca3200a8c8bcaec
SHA256 65c2c9086008da3d00e9574cdb9f7415e3f4f105d931531e65a89df63db0099f
SHA512 7d4bc1890f92065c84b60ab6bb48729d9730eef7a39ee937150582617bc3ed630e0fee9e350d6f3ef7b9032d11821b455c64d775b518b9eebd41446e1f097546

memory/1444-9-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3136-10-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/3136-11-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/3136-21-0x0000000000400000-0x00000000005E5000-memory.dmp