Malware Analysis Report

2025-03-15 05:42

Sample ID 240509-1st1hsbg96
Target 2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118
SHA256 82445b8c2c43a704c302fcf54ee9246ad0717e267d0104a69235a2cdffb79ef9
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

82445b8c2c43a704c302fcf54ee9246ad0717e267d0104a69235a2cdffb79ef9

Threat Level: Shows suspicious behavior

The file 2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 21:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 21:55

Reported

2024-05-09 21:57

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INS440E.tmp N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\INS440E.tmp

C:\Users\Admin\AppData\Local\Temp\INS440E.tmp /SL3 $401EC C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe 15330995 15334215 61440

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\INS440E.tmp

MD5 106eb101deec4ef64a816506d1cf1838
SHA1 4c503804c0fcc28a0917d61fdb00b699fd3a2c40
SHA256 94b496a5ec67ed8e7d884a663fdbf2444b755a409fb72f35314c26fdf513a7e7
SHA512 e1d8f178b81df5c0a2f40dc105da35c2e2a096b7f6a87944b8828a7d43b4d422a073e3d1058de29427ef94aab2c7be9dd3b74c2bff362bdc8aa861aafb6f5326

memory/2196-4-0x0000000002430000-0x0000000002431000-memory.dmp

memory/4476-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2196-9-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2196-12-0x0000000002430000-0x0000000002431000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 21:55

Reported

2024-05-09 21:57

Platform

win7-20231129-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INS85A.tmp N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\INS85A.tmp

C:\Users\Admin\AppData\Local\Temp\INS85A.tmp /SL3 $30136 C:\Users\Admin\AppData\Local\Temp\2be53688f0503c3b7cfb100c88a58e95_JaffaCakes118.exe 15330995 15334215 61440

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\INS85A.tmp

MD5 106eb101deec4ef64a816506d1cf1838
SHA1 4c503804c0fcc28a0917d61fdb00b699fd3a2c40
SHA256 94b496a5ec67ed8e7d884a663fdbf2444b755a409fb72f35314c26fdf513a7e7
SHA512 e1d8f178b81df5c0a2f40dc105da35c2e2a096b7f6a87944b8828a7d43b4d422a073e3d1058de29427ef94aab2c7be9dd3b74c2bff362bdc8aa861aafb6f5326

\Users\Admin\AppData\Local\Temp\is-E866C.tmp\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2028-14-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2972-15-0x0000000000400000-0x0000000000495000-memory.dmp