Malware Analysis Report

2025-03-15 05:41

Sample ID 240510-176mvsch3z
Target 314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118
SHA256 146c0faa618da5c25034c1d7ad12bbbd798328c1d672df3824f2ead85a9fc5c5
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

146c0faa618da5c25034c1d7ad12bbbd798328c1d672df3824f2ead85a9fc5c5

Threat Level: Shows suspicious behavior

The file 314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 22:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 22:18

Reported

2024-05-10 22:21

Platform

win7-20240221-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A
File opened for modification C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe"

Network

N/A

Files

memory/2380-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe

MD5 f17f1393e7f58f602a6f8f4864015235
SHA1 bd120de991db7cc85c4472fac395bd426d31c981
SHA256 81e0d5df143ec1e32e6791083fb768b6fa04b3049f5f65ba3414493a3358ebd6
SHA512 64bf5145990277dd1e777fe2e32b8c3e7b55857c03ca1fd7e42025881463d2b7845748c59f2c8509c77b7c7778b141c596f945f1996203f835af092311b8518f

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.cfg

MD5 deee6704a73aa0f45370cc33306969c1
SHA1 204c2344263a78ff163d9d5ef67181941eefd8c5
SHA256 9c991735367eaddc3c3a906a77b77e0b1a67171dc7a6c6ab4493951f2e93ce0b
SHA512 0cc6d7ea1c320874caa90c515cb80e52d9dbee57d1928b36fc3e95f897b5258c1a7784d84adfd841d303c652cb027c99997a0832d3b8d9c4586a03abee0818d3

C:\Users\Admin\AppData\Local\Temp\setup~1\setup.zmr

MD5 a1b0a01c5f99c16fec13a454ea82ced6
SHA1 ad73fb36bc7f696e8b614eddc8989415d2af0810
SHA256 121a882f5fc6bfab4487048d2c9a7eef28f222d0213d091c802dafff66fd25bc
SHA512 62ddbeb833f756f327fcbe71c34b632358ed8c3c05d33fafbb2e7998679e81aa1292dfdbeb113b75dcc377c702cc0e3cb84c014368291e1ad5437156a4c2bd98

memory/2964-209-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2380-211-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 22:18

Reported

2024-05-10 22:21

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A
File opened for modification C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\314f910dbce7e75c18ff3672d35cfc30_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/5080-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe

MD5 f17f1393e7f58f602a6f8f4864015235
SHA1 bd120de991db7cc85c4472fac395bd426d31c981
SHA256 81e0d5df143ec1e32e6791083fb768b6fa04b3049f5f65ba3414493a3358ebd6
SHA512 64bf5145990277dd1e777fe2e32b8c3e7b55857c03ca1fd7e42025881463d2b7845748c59f2c8509c77b7c7778b141c596f945f1996203f835af092311b8518f

memory/6096-20-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.cfg

MD5 deee6704a73aa0f45370cc33306969c1
SHA1 204c2344263a78ff163d9d5ef67181941eefd8c5
SHA256 9c991735367eaddc3c3a906a77b77e0b1a67171dc7a6c6ab4493951f2e93ce0b
SHA512 0cc6d7ea1c320874caa90c515cb80e52d9dbee57d1928b36fc3e95f897b5258c1a7784d84adfd841d303c652cb027c99997a0832d3b8d9c4586a03abee0818d3

C:\Users\Admin\AppData\Local\Temp\setup~1\setup.zmr

MD5 a1b0a01c5f99c16fec13a454ea82ced6
SHA1 ad73fb36bc7f696e8b614eddc8989415d2af0810
SHA256 121a882f5fc6bfab4487048d2c9a7eef28f222d0213d091c802dafff66fd25bc
SHA512 62ddbeb833f756f327fcbe71c34b632358ed8c3c05d33fafbb2e7998679e81aa1292dfdbeb113b75dcc377c702cc0e3cb84c014368291e1ad5437156a4c2bd98

memory/6096-202-0x0000000000400000-0x000000000052E000-memory.dmp

memory/5080-203-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6096-205-0x00000000007B0000-0x00000000007B1000-memory.dmp