Analysis Overview
SHA256
c9e8de1ebf27c1479a36bf65b6c1ecfb57886ff5888cb229cb5b20f84adabf59
Threat Level: Shows suspicious behavior
The file 29277540c45a231a0c123f404c3f1940_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-09 08:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 08:41
Reported
2024-05-09 08:43
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1
Network
Files
\Users\Admin\AppData\Local\Temp\Hw5dJqsqna.sf
| MD5 | e2bb1dd461a2b5e8ace9c86c118e9147 |
| SHA1 | 7f029413187855e2c22bd6939af3f70d6fee7275 |
| SHA256 | bfa86b15c54837397c4c14afa9feffe6db2df9bc1db9a0ed9ed326a08f72cb4c |
| SHA512 | 7551628562dcf7805933b49fb904c4d5466e80bde0b7b33ed011b5b6c09ca92d7d980fe72b477ab21dfeed6003e666d4ce354ca55581ff201ccaa71087219c79 |
memory/1712-1-0x0000000074D60000-0x0000000074D6C000-memory.dmp
memory/1712-3-0x0000000074D69000-0x0000000074D6A000-memory.dmp
memory/1712-2-0x0000000074D60000-0x0000000074D6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\mKAl9K71.sf
| MD5 | 97754195c5201114a68431c1a590ef16 |
| SHA1 | 7cf47c5062dfaa20b6b0341a046a5aad03146271 |
| SHA256 | 334c1f325430e6e551a6b714658c70a3d56137a3da54b72c8592185cecabf594 |
| SHA512 | f12349181f0ef9e6cecbb524c51cdaa4fd23638458e49fabd6d115acc5d1e12b19e45c049ceb1189048c7774c8da0a18823448494fcba5ab852046ef40b36d54 |
memory/1712-5-0x0000000074D60000-0x0000000074D6C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 08:41
Reported
2024-05-09 08:43
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4508 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4508 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4508 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\B1bZAw09LJ.sf
| MD5 | e2bb1dd461a2b5e8ace9c86c118e9147 |
| SHA1 | 7f029413187855e2c22bd6939af3f70d6fee7275 |
| SHA256 | bfa86b15c54837397c4c14afa9feffe6db2df9bc1db9a0ed9ed326a08f72cb4c |
| SHA512 | 7551628562dcf7805933b49fb904c4d5466e80bde0b7b33ed011b5b6c09ca92d7d980fe72b477ab21dfeed6003e666d4ce354ca55581ff201ccaa71087219c79 |
memory/1768-1-0x0000000074CD0000-0x0000000074CDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gtXI107N.sf
| MD5 | 97754195c5201114a68431c1a590ef16 |
| SHA1 | 7cf47c5062dfaa20b6b0341a046a5aad03146271 |
| SHA256 | 334c1f325430e6e551a6b714658c70a3d56137a3da54b72c8592185cecabf594 |
| SHA512 | f12349181f0ef9e6cecbb524c51cdaa4fd23638458e49fabd6d115acc5d1e12b19e45c049ceb1189048c7774c8da0a18823448494fcba5ab852046ef40b36d54 |
memory/1768-3-0x0000000074CD0000-0x0000000074CDC000-memory.dmp
memory/1768-4-0x0000000074CD0000-0x0000000074CDC000-memory.dmp