Malware Analysis Report

2025-01-22 12:23

Sample ID 240516-yq1deadh8s
Target 4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118
SHA256 77ddab3725f45705e6dfb758244b3b27c7b71cc672a37ab64cca06330064a854
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

77ddab3725f45705e6dfb758244b3b27c7b71cc672a37ab64cca06330064a854

Threat Level: Shows suspicious behavior

The file 4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Loads dropped DLL

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 20:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 20:00

Reported

2024-05-16 20:02

Platform

win7-20231129-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\{8AD0F83B-5B77-4068-AE2E-4116343D3B4A}\isshell.dat

MD5 0a35f219461f5bfa2b72ad59f16a7a83
SHA1 03e2f7fb02626dafc403165b17ce0ec074c6b52a
SHA256 125b445db83df1a09f915d11b50b4d8698b98fec9007053d92dfa48a0c170037
SHA512 b97188f63bae21c3655f6b573deb2cec03e77d1e133759e7c6af23f730d1dae28d0f2894f30088dea75923643164fd39fd15ada226580675bf7ec99f43363e2f

memory/1044-3-0x0000000001DD0000-0x0000000002071000-memory.dmp

memory/1044-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1044-9-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1044-10-0x0000000001DD0000-0x0000000002071000-memory.dmp

memory/1044-13-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 20:00

Reported

2024-05-16 20:02

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ccd26be751ed0ea3c7bf3e33aff43b6_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 220.131.50.23.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 206.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{8AD0F83B-5B77-4068-AE2E-4116343D3B4A}\isshell.dat

MD5 0a35f219461f5bfa2b72ad59f16a7a83
SHA1 03e2f7fb02626dafc403165b17ce0ec074c6b52a
SHA256 125b445db83df1a09f915d11b50b4d8698b98fec9007053d92dfa48a0c170037
SHA512 b97188f63bae21c3655f6b573deb2cec03e77d1e133759e7c6af23f730d1dae28d0f2894f30088dea75923643164fd39fd15ada226580675bf7ec99f43363e2f

memory/4152-6-0x00000000022A0000-0x0000000002541000-memory.dmp

memory/4152-7-0x00000000022A0000-0x0000000002541000-memory.dmp

memory/4152-11-0x0000000002790000-0x0000000002791000-memory.dmp

memory/4152-13-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4152-14-0x00000000022A0000-0x0000000002541000-memory.dmp

memory/4152-17-0x0000000002790000-0x0000000002791000-memory.dmp

memory/4152-21-0x00000000022A0000-0x0000000002541000-memory.dmp