Malware Analysis Report

2025-03-15 05:49

Sample ID 240623-2faa1syfkj
Target 0307dc2b359e25772cedda86d9e5c874_JaffaCakes118
SHA256 d9e42e981974d8e0a4ae25dd92378b24fb8460b9b0178fabeb5a00214ed508e4
Tags
bootkit persistence aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d9e42e981974d8e0a4ae25dd92378b24fb8460b9b0178fabeb5a00214ed508e4

Threat Level: Shows suspicious behavior

The file 0307dc2b359e25772cedda86d9e5c874_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence aspackv2

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 22:30

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 22:30

Reported

2024-06-23 22:33

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

Network

N/A

Files

memory/1732-0-0x0000000074650000-0x0000000074697000-memory.dmp

memory/1732-1-0x0000000000220000-0x0000000000250000-memory.dmp

memory/1732-2-0x0000000000210000-0x0000000000213000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 22:30

Reported

2024-06-23 22:33

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1144 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1144 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0307dc2b359e25772cedda86d9e5c874_JaffaCakes118.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2272-0-0x0000000074BE0000-0x0000000074C27000-memory.dmp

memory/2272-1-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/2272-22-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2272-51-0x0000000002700000-0x0000000002701000-memory.dmp

memory/2272-50-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/2272-49-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/2272-48-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/2272-47-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/2272-46-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2272-45-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/2272-44-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2272-43-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2272-42-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2272-41-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2272-40-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2272-39-0x0000000002650000-0x0000000002651000-memory.dmp

memory/2272-38-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2272-37-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2272-36-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2272-35-0x0000000002590000-0x0000000002591000-memory.dmp

memory/2272-34-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2272-33-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2272-32-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2272-31-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2272-30-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2272-29-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2272-28-0x0000000002500000-0x0000000002501000-memory.dmp

memory/2272-27-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2272-26-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2272-25-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2272-24-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2272-23-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2272-21-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2272-20-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2272-19-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2272-18-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2272-17-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2272-16-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2272-15-0x0000000002420000-0x0000000002421000-memory.dmp

memory/2272-14-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2272-13-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2272-12-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2272-11-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2272-10-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2272-9-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/2272-8-0x0000000002380000-0x0000000002381000-memory.dmp

memory/2272-7-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2272-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/2272-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2272-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2272-3-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2272-2-0x00000000009A0000-0x00000000009A3000-memory.dmp