Malware Analysis Report

2025-01-22 12:41

Sample ID 240622-ykv7hawflm
Target 03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118
SHA256 c813d65a8ab7ece0135faf14409373de5812a8527de6f3aac69b6a889de2304e
Tags
aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c813d65a8ab7ece0135faf14409373de5812a8527de6f3aac69b6a889de2304e

Threat Level: Known bad

The file 03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2

Checks computer location settings

ASPack v2.12-2.42

Deletes itself

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 19:51

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 19:51

Reported

2024-06-22 19:53

Platform

win7-20240508-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\vktbot.exe

"C:\Users\Admin\AppData\Local\Temp\vktbot.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 pisya.aiq.ru udp
US 8.8.8.8:53 gora-vsego.ru udp
RU 212.46.196.133:21 pisya.aiq.ru tcp

Files

memory/2024-0-0x0000000000400000-0x000000000058C000-memory.dmp

\Users\Admin\AppData\Local\Temp\vktbot.exe

MD5 6f50a6debf467da0e0b3a93851895925
SHA1 53e0191568795539d2e33de79fc906790fea2744
SHA256 634a27e18916b7344885eae827fde9fdd6c5798753270c97582daae6cc977d9e
SHA512 4bc4763a6262f97b919f9c5110561960125ae035b3fdda877afa76d043e824099130556bca543c310bea20b699704e24de59eae9dad5a30973c250f2e1ec9923

memory/1660-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2024-9-0x0000000000400000-0x000000000058C000-memory.dmp

memory/1660-10-0x0000000000400000-0x0000000000540000-memory.dmp

memory/1660-12-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 19:51

Reported

2024-06-22 19:53

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vktbot.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\vktbot.exe

"C:\Users\Admin\AppData\Local\Temp\vktbot.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\03b6df5872717eb7a593cf0d07a5efa0_JaffaCakes118.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 pisya.aiq.ru udp
US 8.8.8.8:53 gora-vsego.ru udp

Files

memory/3464-0-0x0000000000400000-0x000000000058C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vktbot.exe

MD5 6f50a6debf467da0e0b3a93851895925
SHA1 53e0191568795539d2e33de79fc906790fea2744
SHA256 634a27e18916b7344885eae827fde9fdd6c5798753270c97582daae6cc977d9e
SHA512 4bc4763a6262f97b919f9c5110561960125ae035b3fdda877afa76d043e824099130556bca543c310bea20b699704e24de59eae9dad5a30973c250f2e1ec9923

memory/1768-12-0x0000000000750000-0x0000000000751000-memory.dmp

memory/3464-13-0x0000000000400000-0x000000000058C000-memory.dmp

memory/1768-14-0x0000000000400000-0x0000000000540000-memory.dmp

memory/3464-15-0x0000000000400000-0x000000000058C000-memory.dmp

memory/1768-16-0x0000000000400000-0x0000000000540000-memory.dmp

memory/1768-17-0x0000000000750000-0x0000000000751000-memory.dmp