Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-klh2nshd5s
Target 29277540c45a231a0c123f404c3f1940_JaffaCakes118
SHA256 c9e8de1ebf27c1479a36bf65b6c1ecfb57886ff5888cb229cb5b20f84adabf59
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c9e8de1ebf27c1479a36bf65b6c1ecfb57886ff5888cb229cb5b20f84adabf59

Threat Level: Shows suspicious behavior

The file 29277540c45a231a0c123f404c3f1940_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 08:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 08:41

Reported

2024-05-09 08:43

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Hw5dJqsqna.sf

MD5 e2bb1dd461a2b5e8ace9c86c118e9147
SHA1 7f029413187855e2c22bd6939af3f70d6fee7275
SHA256 bfa86b15c54837397c4c14afa9feffe6db2df9bc1db9a0ed9ed326a08f72cb4c
SHA512 7551628562dcf7805933b49fb904c4d5466e80bde0b7b33ed011b5b6c09ca92d7d980fe72b477ab21dfeed6003e666d4ce354ca55581ff201ccaa71087219c79

memory/1712-1-0x0000000074D60000-0x0000000074D6C000-memory.dmp

memory/1712-3-0x0000000074D69000-0x0000000074D6A000-memory.dmp

memory/1712-2-0x0000000074D60000-0x0000000074D6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\mKAl9K71.sf

MD5 97754195c5201114a68431c1a590ef16
SHA1 7cf47c5062dfaa20b6b0341a046a5aad03146271
SHA256 334c1f325430e6e551a6b714658c70a3d56137a3da54b72c8592185cecabf594
SHA512 f12349181f0ef9e6cecbb524c51cdaa4fd23638458e49fabd6d115acc5d1e12b19e45c049ceb1189048c7774c8da0a18823448494fcba5ab852046ef40b36d54

memory/1712-5-0x0000000074D60000-0x0000000074D6C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 08:41

Reported

2024-05-09 08:43

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29277540c45a231a0c123f404c3f1940_JaffaCakes118.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\B1bZAw09LJ.sf

MD5 e2bb1dd461a2b5e8ace9c86c118e9147
SHA1 7f029413187855e2c22bd6939af3f70d6fee7275
SHA256 bfa86b15c54837397c4c14afa9feffe6db2df9bc1db9a0ed9ed326a08f72cb4c
SHA512 7551628562dcf7805933b49fb904c4d5466e80bde0b7b33ed011b5b6c09ca92d7d980fe72b477ab21dfeed6003e666d4ce354ca55581ff201ccaa71087219c79

memory/1768-1-0x0000000074CD0000-0x0000000074CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gtXI107N.sf

MD5 97754195c5201114a68431c1a590ef16
SHA1 7cf47c5062dfaa20b6b0341a046a5aad03146271
SHA256 334c1f325430e6e551a6b714658c70a3d56137a3da54b72c8592185cecabf594
SHA512 f12349181f0ef9e6cecbb524c51cdaa4fd23638458e49fabd6d115acc5d1e12b19e45c049ceb1189048c7774c8da0a18823448494fcba5ab852046ef40b36d54

memory/1768-3-0x0000000074CD0000-0x0000000074CDC000-memory.dmp

memory/1768-4-0x0000000074CD0000-0x0000000074CDC000-memory.dmp