Malware Analysis Report

2025-03-15 05:49

Sample ID 240623-1ejbvssgqb
Target 0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118
SHA256 c51d9653f562d303933325af00ec3c625e25cf90a4b28cf19d48f649c7629d80
Tags
aspackv2 upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c51d9653f562d303933325af00ec3c625e25cf90a4b28cf19d48f649c7629d80

Threat Level: Shows suspicious behavior

The file 0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

UPX packed file

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 21:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 21:33

Reported

2024-06-23 21:36

Platform

win7-20240419-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\P.exe

C:\Users\Admin\AppData\Local\Temp/P.exe

C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe

C:\Users\Admin\AppData\Local\Temp/Paso5wrd.exe

Network

N/A

Files

memory/1576-0-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P.exe

MD5 ac051026392a3ec7468a08a681eadb38
SHA1 93e2fb65f049c3c8bf0354c371bf117ef422416c
SHA256 415b50da794354632adec5210abcf436106ec16babc4e6b33d319b98655e8083
SHA512 d44562dcec8d65eeac4593477c33a61d56504da5e30fa5a8c5a0e90ee2644e7b3d7f3ac1817786a8fb823c957105bc81e5a99ca3687bada118af2d44b36c5eac

\Users\Admin\AppData\Local\Temp\Paso5wrd.exe

MD5 d0b5e23af0fc410b41450054e603dd2b
SHA1 c16ea1b07278fb42703408e7a8353e633504c92a
SHA256 8546c7c53335031652597551d8d6b7bdc637127a5e9c242decb835d85e693b51
SHA512 2b37430d8cc66821c59fce77acdda94c892a4cdf260fac0ce59c5b36cbd54f18934aab896d89f4a0f9b1f7879be10e54cd042396566284dd9ec1d45c709e91ce

memory/1576-27-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2612-28-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2612-39-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2612-40-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-42-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-43-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-44-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-45-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-46-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-47-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-48-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-49-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-50-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-51-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-52-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2612-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 21:33

Reported

2024-06-23 21:36

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\P.exe

C:\Users\Admin\AppData\Local\Temp/P.exe

C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe

C:\Users\Admin\AppData\Local\Temp/Paso5wrd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2204-0-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut48E0.tmp

MD5 ac051026392a3ec7468a08a681eadb38
SHA1 93e2fb65f049c3c8bf0354c371bf117ef422416c
SHA256 415b50da794354632adec5210abcf436106ec16babc4e6b33d319b98655e8083
SHA512 d44562dcec8d65eeac4593477c33a61d56504da5e30fa5a8c5a0e90ee2644e7b3d7f3ac1817786a8fb823c957105bc81e5a99ca3687bada118af2d44b36c5eac

C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe

MD5 d0b5e23af0fc410b41450054e603dd2b
SHA1 c16ea1b07278fb42703408e7a8353e633504c92a
SHA256 8546c7c53335031652597551d8d6b7bdc637127a5e9c242decb835d85e693b51
SHA512 2b37430d8cc66821c59fce77acdda94c892a4cdf260fac0ce59c5b36cbd54f18934aab896d89f4a0f9b1f7879be10e54cd042396566284dd9ec1d45c709e91ce

memory/2204-20-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1628-22-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1628-31-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-32-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-33-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1628-34-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-35-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-36-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-37-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-38-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-39-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-40-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-42-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-43-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-44-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1628-45-0x0000000000400000-0x00000000004B7000-memory.dmp