Malware Analysis Report

2025-01-22 12:43

Sample ID 240622-2p5taascjn
Target 043945317d81ee4818a1bee854e2e7e5_JaffaCakes118
SHA256 6a3a16eeabe543241d09239facc95e678ce125c45216e2d4b2d3412e13913bc5
Tags
aspackv2 spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6a3a16eeabe543241d09239facc95e678ce125c45216e2d4b2d3412e13913bc5

Threat Level: Shows suspicious behavior

The file 043945317d81ee4818a1bee854e2e7e5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 spyware stealer

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

ASPack v2.12-2.42

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:46

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:46

Reported

2024-06-22 22:48

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 120

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:46

Reported

2024-06-22 22:48

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe"

Signatures

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Processes

C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043945317d81ee4818a1bee854e2e7e5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 danjg.com udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 hbot.aswind.biz udp
US 8.8.8.8:53 TouKizu7oi4tobeD.com udp
US 8.8.8.8:53 wahlae0ohGurae2t.com udp
US 8.8.8.8:53 Ru7Noh8quoob8moh.com udp
US 8.8.8.8:53 taishous4nohshiY.com udp
US 8.8.8.8:53 Oyah9eeshaCei2ae.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

memory/3736-0-0x0000000024680000-0x00000000246AE000-memory.dmp

memory/3736-5-0x0000000024680000-0x00000000246AE000-memory.dmp

memory/3736-6-0x0000000024680000-0x00000000246AE000-memory.dmp

memory/3736-7-0x0000000024680000-0x00000000246AE000-memory.dmp