Malware Analysis Report

2025-03-15 05:48

Sample ID 240624-a3pwfavbpk
Target 05d7368f45843a53ea250260a936020b_JaffaCakes118
SHA256 ceffd78a821d7cc8108d59cd70b2c4ac0d96602f0cf32269679d22b54718a8fd
Tags
discovery persistence aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ceffd78a821d7cc8108d59cd70b2c4ac0d96602f0cf32269679d22b54718a8fd

Threat Level: Shows suspicious behavior

The file 05d7368f45843a53ea250260a936020b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence aspackv2

Loads dropped DLL

ASPack v2.12-2.42

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 00:44

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 00:44

Reported

2024-06-24 00:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNShell.exe" C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msnshell.UNinstall.exe C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\msnshell.UNinstall.exe C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4684-0-0x0000000000970000-0x0000000000971000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mlng_EN.ini

MD5 aa5a931a734ad85b7c149b04dc018350
SHA1 510b5e19914944a012f14295137f056012213f22
SHA256 187ee03ff858418849fc4dedc1ae6ad5a8d1778a3da6a26fea1a44517c9ecb34
SHA512 f165f6292643e695831fabc9efc1c2f3855d294a3ad54ef745eeece6298d4d5b52210a3950c751b26c933abc2abd48d3ef504a596a9e932f69901d73187731f1

C:\Users\Admin\AppData\Local\Temp\shell.ini

MD5 6155652e608cfbcf3a6c23ed9b7ccd21
SHA1 96e6110dd1f7991bfc4f4d4b967e36dc14e1858d
SHA256 bff01dd0bbe7d995c5ba9f90027c08f2deb8f81dfa8b5e9628208d015cb2d872
SHA512 ad101c5cd7d2d2443207ff282ae0d6f240e07f1b32873ff2d710d85df90119c9be1a7054a7bc6a687547190b38ee45ef15443571acb12272d0c5f3d6275dec79

C:\Users\Admin\AppData\Local\Temp\msnshell.dll

MD5 e5cb5db431e05f9cbb240dde14d047ca
SHA1 4b4534ddbd0342feebf0b5dbb4cd0aae5f8b2468
SHA256 124bd8133828e88e461b4423966cd83d68427d526e80b38a0a20dc13db343e73
SHA512 189ae327bed1d1b9a2f5a6f5b49e723b385f64c018bcf490aa30fd91ccd836b5087253df92d1fb9f4ba09802d27da2ccba8fe24c67528bd6f0b3c7479aece4dc

memory/4684-33-0x00000000048D0000-0x0000000004AB6000-memory.dmp

memory/4684-42-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-43-0x00000000048D0000-0x0000000004AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mlng_GB.ini

MD5 45372c4acb71f52149864766ed8b21ff
SHA1 48a1519c789891c1295cdc7c58696a1b8f5907af
SHA256 6a0fd22eb05670716627d24db26e0efe39a8f6802d302bdfa187a0d627474a7a
SHA512 9c2cdf48f05c220dd679c415b0f20cd148450cebbba926fdf22687d7ecddb73f16077cdc1cf76088e9c20739e46f43cff841b080bf90bb24593df0ddf0735522

memory/4684-53-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-55-0x0000000000970000-0x0000000000971000-memory.dmp

memory/4684-65-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-66-0x00000000048D0000-0x0000000004AB6000-memory.dmp

memory/4684-76-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-87-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-98-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-118-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-129-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-140-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-151-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-162-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-173-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-184-0x0000000000400000-0x0000000000677000-memory.dmp

memory/4684-195-0x0000000000400000-0x0000000000677000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 00:44

Reported

2024-06-24 00:47

Platform

win7-20240220-en

Max time kernel

142s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNShell.exe" C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msnshell.UNinstall.exe C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\msnshell.UNinstall.exe C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"

Network

N/A

Files

memory/1976-2-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\msnshell.dll

MD5 e5cb5db431e05f9cbb240dde14d047ca
SHA1 4b4534ddbd0342feebf0b5dbb4cd0aae5f8b2468
SHA256 124bd8133828e88e461b4423966cd83d68427d526e80b38a0a20dc13db343e73
SHA512 189ae327bed1d1b9a2f5a6f5b49e723b385f64c018bcf490aa30fd91ccd836b5087253df92d1fb9f4ba09802d27da2ccba8fe24c67528bd6f0b3c7479aece4dc

C:\Users\Admin\AppData\Local\Temp\mlng_EN.ini

MD5 aa5a931a734ad85b7c149b04dc018350
SHA1 510b5e19914944a012f14295137f056012213f22
SHA256 187ee03ff858418849fc4dedc1ae6ad5a8d1778a3da6a26fea1a44517c9ecb34
SHA512 f165f6292643e695831fabc9efc1c2f3855d294a3ad54ef745eeece6298d4d5b52210a3950c751b26c933abc2abd48d3ef504a596a9e932f69901d73187731f1

C:\Users\Admin\AppData\Local\Temp\shell.ini

MD5 6155652e608cfbcf3a6c23ed9b7ccd21
SHA1 96e6110dd1f7991bfc4f4d4b967e36dc14e1858d
SHA256 bff01dd0bbe7d995c5ba9f90027c08f2deb8f81dfa8b5e9628208d015cb2d872
SHA512 ad101c5cd7d2d2443207ff282ae0d6f240e07f1b32873ff2d710d85df90119c9be1a7054a7bc6a687547190b38ee45ef15443571acb12272d0c5f3d6275dec79

memory/1976-33-0x00000000031B0000-0x0000000003396000-memory.dmp

memory/1976-41-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-42-0x00000000031B0000-0x0000000003396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mlng_GB.ini

MD5 45372c4acb71f52149864766ed8b21ff
SHA1 48a1519c789891c1295cdc7c58696a1b8f5907af
SHA256 6a0fd22eb05670716627d24db26e0efe39a8f6802d302bdfa187a0d627474a7a
SHA512 9c2cdf48f05c220dd679c415b0f20cd148450cebbba926fdf22687d7ecddb73f16077cdc1cf76088e9c20739e46f43cff841b080bf90bb24593df0ddf0735522

memory/1976-52-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1976-64-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-75-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-86-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-97-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-117-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-128-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-139-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-150-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-161-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-172-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-183-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1976-194-0x0000000000400000-0x0000000000677000-memory.dmp