Analysis Overview
SHA256
c813d65a8ab7ece0135faf14409373de5812a8527de6f3aac69b6a889de2304e
Threat Level: Known bad
The file 03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 19:51
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 19:51
Reported
2024-06-22 19:53
Platform
win7-20240508-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vktbot.exe
"C:\Users\Admin\AppData\Local\Temp\vktbot.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pisya.aiq.ru | udp |
| US | 8.8.8.8:53 | gora-vsego.ru | udp |
| RU | 212.46.196.133:21 | pisya.aiq.ru | tcp |
Files
memory/2024-0-0x0000000000400000-0x000000000058C000-memory.dmp
\Users\Admin\AppData\Local\Temp\vktbot.exe
| MD5 | 6f50a6debf467da0e0b3a93851895925 |
| SHA1 | 53e0191568795539d2e33de79fc906790fea2744 |
| SHA256 | 634a27e18916b7344885eae827fde9fdd6c5798753270c97582daae6cc977d9e |
| SHA512 | 4bc4763a6262f97b919f9c5110561960125ae035b3fdda877afa76d043e824099130556bca543c310bea20b699704e24de59eae9dad5a30973c250f2e1ec9923 |
memory/1660-7-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2024-9-0x0000000000400000-0x000000000058C000-memory.dmp
memory/1660-10-0x0000000000400000-0x0000000000540000-memory.dmp
memory/1660-12-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 19:51
Reported
2024-06-22 19:53
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vktbot.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vktbot.exe |
| PID 3464 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vktbot.exe |
| PID 3464 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vktbot.exe |
| PID 3464 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3464 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3464 wrote to memory of 3196 | N/A | C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vktbot.exe
"C:\Users\Admin\AppData\Local\Temp\vktbot.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pisya.aiq.ru | udp |
| US | 8.8.8.8:53 | gora-vsego.ru | udp |
Files
memory/3464-0-0x0000000000400000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vktbot.exe
| MD5 | 6f50a6debf467da0e0b3a93851895925 |
| SHA1 | 53e0191568795539d2e33de79fc906790fea2744 |
| SHA256 | 634a27e18916b7344885eae827fde9fdd6c5798753270c97582daae6cc977d9e |
| SHA512 | 4bc4763a6262f97b919f9c5110561960125ae035b3fdda877afa76d043e824099130556bca543c310bea20b699704e24de59eae9dad5a30973c250f2e1ec9923 |
memory/1768-12-0x0000000000750000-0x0000000000751000-memory.dmp
memory/3464-13-0x0000000000400000-0x000000000058C000-memory.dmp
memory/1768-14-0x0000000000400000-0x0000000000540000-memory.dmp
memory/3464-15-0x0000000000400000-0x000000000058C000-memory.dmp
memory/1768-16-0x0000000000400000-0x0000000000540000-memory.dmp
memory/1768-17-0x0000000000750000-0x0000000000751000-memory.dmp