Analysis Overview
SHA256
4f1792abca3f5b95e7a4e222d6a5bde0631045ee907fe7e5a42ede90f5d50d53
Threat Level: Shows suspicious behavior
The file 2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 14:22
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 14:22
Reported
2024-05-09 14:25
Platform
win7-20240221-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
| PID 2512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
| PID 2512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
| PID 2512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe" ad
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
Files
memory/2512-0-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-1-0x0000000000400000-0x00000000007A5000-memory.dmp
\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
| MD5 | 2a602106fa70539b17f6f6108a6e12d6 |
| SHA1 | 0c7fe015dbf2322363032c863607e924837f788f |
| SHA256 | 4f1792abca3f5b95e7a4e222d6a5bde0631045ee907fe7e5a42ede90f5d50d53 |
| SHA512 | 5aa231d2dce9bb11df3754e2cec5172916e418d33fb65bfcc680e3bcbc2205f99cc6c77d24504ec100ac6fd983b6acb24cf6cd50e11339afa84b9303d216a169 |
memory/2716-9-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-10-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-11-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-12-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-13-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-14-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-15-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-17-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-18-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-19-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-21-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-22-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-25-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-26-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-27-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-28-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-29-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-30-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-33-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-34-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2512-35-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2716-36-0x0000000000400000-0x00000000007A5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 14:22
Reported
2024-05-09 14:25
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
| PID 4956 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
| PID 4956 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe" ad
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
| US | 8.8.8.8:53 | data.asdf1655s1df6as.com | udp |
Files
memory/4956-0-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-1-0x0000000000990000-0x0000000000991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\restartok2a602106fa70539b17f6f6108a6e12d6_JaffaCakes118.exe
| MD5 | 2a602106fa70539b17f6f6108a6e12d6 |
| SHA1 | 0c7fe015dbf2322363032c863607e924837f788f |
| SHA256 | 4f1792abca3f5b95e7a4e222d6a5bde0631045ee907fe7e5a42ede90f5d50d53 |
| SHA512 | 5aa231d2dce9bb11df3754e2cec5172916e418d33fb65bfcc680e3bcbc2205f99cc6c77d24504ec100ac6fd983b6acb24cf6cd50e11339afa84b9303d216a169 |
memory/4300-35-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-36-0x0000000002660000-0x0000000002661000-memory.dmp
memory/4956-37-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-38-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-39-0x0000000000990000-0x0000000000991000-memory.dmp
memory/4956-40-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-41-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-42-0x0000000002660000-0x0000000002661000-memory.dmp
memory/4956-43-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-44-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-45-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-46-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-48-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-50-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-51-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-52-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-53-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-54-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-55-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-58-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-59-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-60-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-61-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-62-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-63-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4956-66-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/4300-67-0x0000000000400000-0x00000000007A5000-memory.dmp