Analysis Overview
SHA256
82445b8c2c43a704c302fcf54ee9246ad0717e267d0104a69235a2cdffb79ef9
Threat Level: Shows suspicious behavior
The file 2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 21:55
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 21:55
Reported
2024-05-09 21:57
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
94s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INS440E.tmp | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INS440E.tmp |
| PID 4476 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INS440E.tmp |
| PID 4476 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INS440E.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\INS440E.tmp
C:\Users\Admin\AppData\Local\Temp\INS440E.tmp /SL3 $401EC C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe 15330995 15334215 61440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\INS440E.tmp
| MD5 | 106eb101deec4ef64a816506d1cf1838 |
| SHA1 | 4c503804c0fcc28a0917d61fdb00b699fd3a2c40 |
| SHA256 | 94b496a5ec67ed8e7d884a663fdbf2444b755a409fb72f35314c26fdf513a7e7 |
| SHA512 | e1d8f178b81df5c0a2f40dc105da35c2e2a096b7f6a87944b8828a7d43b4d422a073e3d1058de29427ef94aab2c7be9dd3b74c2bff362bdc8aa861aafb6f5326 |
memory/2196-4-0x0000000002430000-0x0000000002431000-memory.dmp
memory/4476-8-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2196-9-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2196-12-0x0000000002430000-0x0000000002431000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 21:55
Reported
2024-05-09 21:57
Platform
win7-20231129-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INS85A.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INS85A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INS85A.tmp | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\INS85A.tmp
C:\Users\Admin\AppData\Local\Temp\INS85A.tmp /SL3 $30136 C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe 15330995 15334215 61440
Network
Files
\Users\Admin\AppData\Local\Temp\INS85A.tmp
| MD5 | 106eb101deec4ef64a816506d1cf1838 |
| SHA1 | 4c503804c0fcc28a0917d61fdb00b699fd3a2c40 |
| SHA256 | 94b496a5ec67ed8e7d884a663fdbf2444b755a409fb72f35314c26fdf513a7e7 |
| SHA512 | e1d8f178b81df5c0a2f40dc105da35c2e2a096b7f6a87944b8828a7d43b4d422a073e3d1058de29427ef94aab2c7be9dd3b74c2bff362bdc8aa861aafb6f5326 |
\Users\Admin\AppData\Local\Temp\is-E866C.tmp\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2028-14-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2972-15-0x0000000000400000-0x0000000000495000-memory.dmp