Malware Analysis Report

2025-01-22 12:43

Sample ID 240622-1djw1aygjk
Target 03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118
SHA256 ce414fa987ceec4852dfe94db38339e2509d328835bd157789ee27e26c21b1fc
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ce414fa987ceec4852dfe94db38339e2509d328835bd157789ee27e26c21b1fc

Threat Level: Likely malicious

The file 03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Drops file in Drivers directory

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 21:31

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 21:31

Reported

2024-06-22 21:34

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\aec.sys C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\aec.sys C:\Users\Admin\AppData\Local\Temp\28627.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28627.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = " " C:\Users\Admin\AppData\Local\Temp\28627.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = "c:\\windows\\system32\\shellext\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\28627.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\shellext\svchost.exe C:\Users\Admin\AppData\Local\Temp\28627.exe N/A
File created \??\c:\windows\SysWOW64\shellext\svchost.exe C:\Users\Admin\AppData\Local\Temp\28627.exe N/A
File created C:\Windows\SysWOW64\xiaoxiao_sls.sls C:\Users\Admin\AppData\Local\Temp\28627.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\28627.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28627.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\28627.exe

C:\Users\Admin\AppData\Local\Temp\28627.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 212

Network

N/A

Files

memory/1244-0-0x0000000000400000-0x000000000045D000-memory.dmp

\Users\Admin\AppData\Local\Temp\28627.exe

MD5 34a57e43c473201cb5d99f5957a4a349
SHA1 1c65459c349cdb4a3bac695bfbe71c3f5471ae03
SHA256 98f3360ed2ad357e66afe64f7e71a7683d4da2ee79c2efffd444380f323695cd
SHA512 3fe97a0edd97d454cd012144a7aacd1cad6beb3ebeb4fbb70e981000ef81f69a49eed4e1d7873c8b1e26e487fbf4c3e9d697e32dc4e7efb1bb464df8b43d7316

\Windows\SysWOW64\xiaoxiao_sls.sls

MD5 917b9e105c4e1554a0bb3d44f49dddae
SHA1 8065e670fa3ec9282df9ad44267cdfa6406c94d5
SHA256 b0c5eafb89154c8c6977f036c1130e453cee22493e472d728a71c4c2e8790677
SHA512 d48175b47b7bc51a6334be59ff9361b381815c300a4daee3f72a1e03fc94cd1d354c0b8e22ae528e741dd75539091d9e5993a57e7173eaae8aba89988853ff84

memory/1244-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1244-20-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 21:31

Reported

2024-06-22 21:34

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\aec.sys C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\aec.sys C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = " " C:\Users\Admin\AppData\Local\Temp\4182.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\x3 = "c:\\windows\\system32\\shellext\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\shellext\svchost.exe C:\Users\Admin\AppData\Local\Temp\4182.exe N/A
File created \??\c:\windows\SysWOW64\shellext\svchost.exe C:\Users\Admin\AppData\Local\Temp\4182.exe N/A
File created C:\Windows\SysWOW64\xiaoxiao_sls.sls C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4182.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4182.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03eb6402725752f1f3c3bc6ffce9358a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4182.exe

C:\Users\Admin\AppData\Local\Temp\4182.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1724-0-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4182.exe

MD5 34a57e43c473201cb5d99f5957a4a349
SHA1 1c65459c349cdb4a3bac695bfbe71c3f5471ae03
SHA256 98f3360ed2ad357e66afe64f7e71a7683d4da2ee79c2efffd444380f323695cd
SHA512 3fe97a0edd97d454cd012144a7aacd1cad6beb3ebeb4fbb70e981000ef81f69a49eed4e1d7873c8b1e26e487fbf4c3e9d697e32dc4e7efb1bb464df8b43d7316

C:\Windows\SysWOW64\xiaoxiao_sls.sls

MD5 917b9e105c4e1554a0bb3d44f49dddae
SHA1 8065e670fa3ec9282df9ad44267cdfa6406c94d5
SHA256 b0c5eafb89154c8c6977f036c1130e453cee22493e472d728a71c4c2e8790677
SHA512 d48175b47b7bc51a6334be59ff9361b381815c300a4daee3f72a1e03fc94cd1d354c0b8e22ae528e741dd75539091d9e5993a57e7173eaae8aba89988853ff84

memory/1724-9-0x0000000000400000-0x000000000045D000-memory.dmp