Malware Analysis Report

2025-01-22 12:26

Sample ID 240516-n9pqxabf51
Target 4afb95d53f83e1dea370b2f501307dda_JaffaCakes118
SHA256 51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd

Threat Level: Known bad

The file 4afb95d53f83e1dea370b2f501307dda_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Adds policy Run key to start application

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:06

Reported

2024-05-16 12:08

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Windows\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Windows\services.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Windows\services.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Windows\services.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\SysWOW64\winkey.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\reginv.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"

C:\Windows\SysWOW64\fservice.exe

C:\Windows\system32\fservice.exe

C:\Windows\services.exe

C:\Windows\services.exe -XP

Network

Country Destination Domain Proto
US 8.8.8.8:53 tcp
US 8.8.8.8:53 gmail.com udp

Files

memory/2280-0-0x0000000000260000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\fservice.exe

MD5 4afb95d53f83e1dea370b2f501307dda
SHA1 25bdb482d40b3b9d29b36774c4bcc3fd090f0624
SHA256 51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd
SHA512 f8f6297f44dd6c898d32b03ec98a2ad43058850047d04524cbbe9de78afb59f013330f92e9006430a5414c07ce10a9fc2cd3b93d41d8b29899bfc3957199ec36

memory/2976-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2988-22-0x0000000000260000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\winkey.dll

MD5 b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1 b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA256 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512 f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

memory/2988-26-0x0000000010000000-0x000000001000B000-memory.dmp

\Windows\SysWOW64\reginv.dll

MD5 562e0d01d6571fa2251a1e9f54c6cc69
SHA1 83677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256 c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

memory/2976-33-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/2280-36-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/2988-38-0x0000000010000000-0x000000001000B000-memory.dmp

memory/2988-37-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/2988-41-0x0000000000260000-0x0000000000261000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:06

Reported

2024-05-16 12:08

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Windows\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\services.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" C:\Windows\services.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fservice.exe N/A
N/A N/A C:\Windows\services.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Windows\services.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\SysWOW64\winkey.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\reginv.dll C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Windows\services.exe N/A
File created C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\services.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Windows\SysWOW64\fservice.exe N/A
File created C:\Windows\system\sservice.exe C:\Windows\services.exe N/A
File created C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system\sservice.exe C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A
N/A N/A C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"

C:\Windows\SysWOW64\fservice.exe

C:\Windows\system32\fservice.exe

C:\Windows\services.exe

C:\Windows\services.exe -XP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 gmail.com udp
US 8.8.8.8:53 alt1.l.google.gmail.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4808-0-0x0000000000D10000-0x0000000000D11000-memory.dmp

C:\Windows\SysWOW64\fservice.exe

MD5 4afb95d53f83e1dea370b2f501307dda
SHA1 25bdb482d40b3b9d29b36774c4bcc3fd090f0624
SHA256 51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd
SHA512 f8f6297f44dd6c898d32b03ec98a2ad43058850047d04524cbbe9de78afb59f013330f92e9006430a5414c07ce10a9fc2cd3b93d41d8b29899bfc3957199ec36

memory/1428-8-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/3240-17-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3240-21-0x0000000010000000-0x000000001000B000-memory.dmp

C:\Windows\SysWOW64\winkey.dll

MD5 b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1 b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA256 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512 f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

C:\Windows\SysWOW64\reginv.dll

MD5 562e0d01d6571fa2251a1e9f54c6cc69
SHA1 83677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256 c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

memory/1428-31-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/4808-33-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/3240-35-0x0000000010000000-0x000000001000B000-memory.dmp

memory/3240-34-0x0000000000400000-0x00000000005F8000-memory.dmp

memory/3240-38-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3240-36-0x0000000000400000-0x00000000005F8000-memory.dmp