Malware Analysis Report

2025-03-15 05:42

Sample ID 240510-ekf8ssch93
Target 2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118
SHA256 3bc7eed96139ff6b7613c0961055b796933457d71ba0dbeb9daba6552e0aede9
Tags
aspackv2 discovery evasion persistence spyware stealer trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3bc7eed96139ff6b7613c0961055b796933457d71ba0dbeb9daba6552e0aede9

Threat Level: Likely malicious

The file 2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 discovery evasion persistence spyware stealer trojan

Modifies RDP port number used by Windows

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

ASPack v2.12-2.42

Checks BIOS information in registry

Executes dropped EXE

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 03:59

Reported

2024-05-10 04:02

Platform

win7-20240508-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe"

Signatures

Modifies RDP port number used by Windows

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\AVM\avm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\AVM\avm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\AVM\\avm.exe" C:\Program Files (x86)\AVM\avm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\AVM\\avm.exe" C:\Program Files (x86)\AVM\avm.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\AVM\avm.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance C:\Program Files (x86)\AVM\avm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\avm.cpl C:\Program Files (x86)\AVM\avm.exe N/A
File opened for modification C:\Windows\SysWOW64\avm.cpl C:\Program Files (x86)\AVM\avm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AVM C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm0.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm0.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm1.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.exe C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.ooo C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm1.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.cpl C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm.cpl C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm.exe C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm.ooo C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Program Files (x86)\AVM\avm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Program Files (x86)\AVM\avm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Program Files (x86)\AVM\avm.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Program Files (x86)\AVM\avm.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Program Files (x86)\AVM\avm.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\AVM\avm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Program Files (x86)\AVM\avm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Program Files (x86)\AVM\avm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Program Files (x86)\AVM\avm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2372 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe C:\Program Files (x86)\AVM\avm.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2252 wrote to memory of 2056 N/A C:\Program Files (x86)\AVM\avm.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe"

C:\Program Files (x86)\AVM\avm.exe

"C:\Program Files (x86)\AVM\avm.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\AVM\avm.exe"

Network

N/A

Files

\Program Files (x86)\AVM\avm.exe

MD5 6535826d9a168414e0f8840adcd42189
SHA1 352f933adb680d42d54b3178281ed60d112c580b
SHA256 a7fb1cf220bfd088ff8f17989c0e459862ffa6d732873b41b4b49c78b312471a
SHA512 54b04800d2c0a56f1e533ac30f5709ac583180f631bbc1e09386ca506f54dd01630450fed15f28d0a35303af18b4f530c479d8b02a0c51af60388af6bedd8cf2

memory/2372-14-0x0000000000490000-0x00000000004A0000-memory.dmp

memory/2372-19-0x0000000003680000-0x0000000003719000-memory.dmp

memory/2372-25-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2252-26-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-31-0x0000000000300000-0x0000000000399000-memory.dmp

memory/2252-33-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-32-0x0000000000479000-0x000000000047A000-memory.dmp

C:\Program Files (x86)\AVM\avm.cpl

MD5 960d3117667426b0357b223c1b3e41db
SHA1 2601377e3a9d4d88e491e88fdea28ade816048d1
SHA256 a72d41815ad9e88ba3a91578d7b8f49f78ebf0f45c739df4952b614e443c267c
SHA512 2f6f37e6c250e34e4e65195c3a9d70606b2e59859eda5f4bb78d97bb6c49f5d39dffbd45358bdfca29062a4c0d50890458ae7034bb946e4f52e560e379633e6b

C:\Program Files (x86)\AVM\avm.ooo

MD5 436fe5c882b9efcfdf3da87a80cb8bde
SHA1 c28555cf8eaa0288517ecd97c65c636cbda903a4
SHA256 b5160c05646d5cdf972051ce413ffdc72c19720c3fd37fa284d4fa5609b36627
SHA512 bf0795c376e3dcab4dd57319cb5cf6418ef81eb5bb71e4d5471d6b22b00140c666f454c36529014461f332c2ed87ec6976496092367a29b7c994b5329bb487a4

C:\Program Files (x86)\AVM\avm0.dat

MD5 bbe8e02db2597e6d9d874718ae5639a8
SHA1 8bf63e606a06ad3a041c438a2eb8e8107198cbc7
SHA256 d24dbaf052764d69dbfdff742289577f9b3003a6c6209d61e9a099b7782af0b6
SHA512 0c6e2ea8a029489e7f0ee61e082f1543e3eff614b1091de7c4e98c0eeef08ec06e7da159d8b6de8a3aa6206782ae5904df451756def0d7fee30821654ecec22b

C:\Program Files (x86)\AVM\avm1.dat

MD5 8d3489379571bce6ac707a3eb6a13c31
SHA1 a91bb6b3ccb5d110ffd180ee31521d3f4411cc82
SHA256 1aa790222bb1b3dba15c0885d4f0f5dd822a7222f56b3053cf0fc38ad9565371
SHA512 16eb41dc85a71d2e0ae274c187ae3b529485e459f15143a726ccd01cc33f725c05cef7f2562fcd022e0f00ef162228055ef1603ad6f9d8f1e33d504236b1c112

memory/2252-83-0x0000000000400000-0x0000000000499000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\g3[1]

MD5 aefd444122479195a041153e433d7c84
SHA1 aa68d0404afe9aa4bbd15f1c732370b8aa323072
SHA256 5adf118b3b1a73e88fd25981132f01bcb77b7961a0b219a71fb13c8e88d681eb
SHA512 131e0bc9e0a3badb4c9b29e26f36861c2876b7fc6a775ceba6393c37d8575fc6ef7fe2c7f91c1e1202b361e25aa0243f3a7f260adf8b36e157bca31196fa0d8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\g2[1]

MD5 727a63363c1c5e84451ea8ef27ed1c8d
SHA1 aad7fb2b949e5045bbd9612a468611f55e47e4ca
SHA256 b0bafcaa21b73ff3b4f06f7304f08f90693eaca58c92ca4ee22ef7dcdafd823c
SHA512 bf0fc89c1057adebff595d4aa6639ea9fb6a15a07f5882223f568eda4c6b39e07f3b3972a77e106a20057a4a2584835ccf96831bd44eb5426710014c173b267b

memory/2252-92-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-93-0x0000000000300000-0x0000000000399000-memory.dmp

memory/2252-94-0x0000000000300000-0x0000000000399000-memory.dmp

memory/2252-95-0x0000000000300000-0x0000000000399000-memory.dmp

memory/2252-97-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-96-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-98-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-109-0x0000000000400000-0x0000000000499000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\g1[1]

MD5 8f8d8d07b4d2dd7fc7c97a0396683eea
SHA1 9cfccb49f7cbf1664257f3da701125cc9a37c7c3
SHA256 d240106981f8c50ccc625329c7e92ac8b139208643eefb733a580cc5f0ad1eb3
SHA512 0f18ad300448c84dd5b4d72219b9327c522d5c6d6e870f0504f59b2963bc8c222156da9d15298929832231a00c09ac0f7aaead39fd83592d4e98830db1dc633c

memory/2252-154-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-155-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-162-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-163-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-173-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-174-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-175-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-176-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-177-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2252-178-0x0000000000400000-0x0000000000499000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 03:59

Reported

2024-05-10 04:02

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\AVM\\avm.exe" C:\Program Files (x86)\AVM\avm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\AVM\\avm.exe" C:\Program Files (x86)\AVM\avm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\avm.cpl C:\Program Files (x86)\AVM\avm.exe N/A
File opened for modification C:\Windows\SysWOW64\avm.cpl C:\Program Files (x86)\AVM\avm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AVM\avm.ooo C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm0.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm0.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm1.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm.cpl C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.exe C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM\avm.exe C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\AVM C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm1.dat C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.cpl C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\AVM\avm.ooo C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\AVM\avm.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Program Files (x86)\AVM\avm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Program Files (x86)\AVM\avm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Program Files (x86)\AVM\avm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVM\avm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d39c9269c60708c89f1625b51feb0e3_JaffaCakes118.exe"

C:\Program Files (x86)\AVM\avm.exe

"C:\Program Files (x86)\AVM\avm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 576

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\AVM\avm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Program Files (x86)\AVM\avm.exe

MD5 6535826d9a168414e0f8840adcd42189
SHA1 352f933adb680d42d54b3178281ed60d112c580b
SHA256 a7fb1cf220bfd088ff8f17989c0e459862ffa6d732873b41b4b49c78b312471a
SHA512 54b04800d2c0a56f1e533ac30f5709ac583180f631bbc1e09386ca506f54dd01630450fed15f28d0a35303af18b4f530c479d8b02a0c51af60388af6bedd8cf2

memory/1904-23-0x0000000000400000-0x0000000000499000-memory.dmp

memory/1540-24-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1904-25-0x0000000002110000-0x000000000213C000-memory.dmp

memory/1904-31-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/1904-30-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/1904-29-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/1904-28-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/1904-27-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/1904-26-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/1904-32-0x0000000002290000-0x0000000002291000-memory.dmp

memory/1904-33-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/1904-34-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1904-37-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1904-44-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1904-43-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1904-42-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1904-41-0x0000000002350000-0x0000000002351000-memory.dmp

memory/1904-40-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1904-39-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1904-38-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1904-36-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1904-35-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1904-45-0x0000000002410000-0x0000000002411000-memory.dmp

C:\Program Files (x86)\AVM\avm.cpl

MD5 960d3117667426b0357b223c1b3e41db
SHA1 2601377e3a9d4d88e491e88fdea28ade816048d1
SHA256 a72d41815ad9e88ba3a91578d7b8f49f78ebf0f45c739df4952b614e443c267c
SHA512 2f6f37e6c250e34e4e65195c3a9d70606b2e59859eda5f4bb78d97bb6c49f5d39dffbd45358bdfca29062a4c0d50890458ae7034bb946e4f52e560e379633e6b

C:\Program Files (x86)\AVM\avm.ooo

MD5 436fe5c882b9efcfdf3da87a80cb8bde
SHA1 c28555cf8eaa0288517ecd97c65c636cbda903a4
SHA256 b5160c05646d5cdf972051ce413ffdc72c19720c3fd37fa284d4fa5609b36627
SHA512 bf0795c376e3dcab4dd57319cb5cf6418ef81eb5bb71e4d5471d6b22b00140c666f454c36529014461f332c2ed87ec6976496092367a29b7c994b5329bb487a4

C:\Program Files (x86)\AVM\avm0.dat

MD5 bbe8e02db2597e6d9d874718ae5639a8
SHA1 8bf63e606a06ad3a041c438a2eb8e8107198cbc7
SHA256 d24dbaf052764d69dbfdff742289577f9b3003a6c6209d61e9a099b7782af0b6
SHA512 0c6e2ea8a029489e7f0ee61e082f1543e3eff614b1091de7c4e98c0eeef08ec06e7da159d8b6de8a3aa6206782ae5904df451756def0d7fee30821654ecec22b

C:\Program Files (x86)\AVM\avm1.dat

MD5 8d3489379571bce6ac707a3eb6a13c31
SHA1 a91bb6b3ccb5d110ffd180ee31521d3f4411cc82
SHA256 1aa790222bb1b3dba15c0885d4f0f5dd822a7222f56b3053cf0fc38ad9565371
SHA512 16eb41dc85a71d2e0ae274c187ae3b529485e459f15143a726ccd01cc33f725c05cef7f2562fcd022e0f00ef162228055ef1603ad6f9d8f1e33d504236b1c112

memory/1904-81-0x0000000000400000-0x0000000000499000-memory.dmp

memory/1904-82-0x0000000002110000-0x000000000213C000-memory.dmp