Malware Analysis Report

2025-01-03 08:23

Sample ID 240704-ejv1kavgjc
Target 248cfdc361e286512672f16d7b03f521_JaffaCakes118
SHA256 15b2496713a364dfe33f4517216d70fa26e90d505a2fd00a231955f7fa0af001
Tags
aspackv2 metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15b2496713a364dfe33f4517216d70fa26e90d505a2fd00a231955f7fa0af001

Threat Level: Known bad

The file 248cfdc361e286512672f16d7b03f521_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 metasploit backdoor trojan

MetaSploit

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-04 03:58

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 03:58

Reported

2024-07-04 04:01

Platform

win7-20240508-en

Max time kernel

147s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File created C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A
File opened for modification C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe C:\Windows\SysWOW64\tsqla.exe
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe C:\Windows\SysWOW64\tsqla.exe
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe C:\Windows\SysWOW64\tsqla.exe
PID 1924 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe C:\Windows\SysWOW64\tsqla.exe
PID 3040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 3040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 3040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 3040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2716 wrote to memory of 2588 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2716 wrote to memory of 2588 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2716 wrote to memory of 2588 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2716 wrote to memory of 2588 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2588 wrote to memory of 2692 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2588 wrote to memory of 2692 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2588 wrote to memory of 2692 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2588 wrote to memory of 2692 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2692 wrote to memory of 1716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2692 wrote to memory of 1716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2692 wrote to memory of 1716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 2692 wrote to memory of 1716 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1716 wrote to memory of 1896 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1716 wrote to memory of 1896 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1716 wrote to memory of 1896 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1716 wrote to memory of 1896 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1896 wrote to memory of 1444 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1896 wrote to memory of 1444 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1896 wrote to memory of 1444 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1896 wrote to memory of 1444 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1444 wrote to memory of 1056 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1444 wrote to memory of 1056 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1444 wrote to memory of 1056 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1444 wrote to memory of 1056 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1056 wrote to memory of 772 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1056 wrote to memory of 772 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1056 wrote to memory of 772 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 1056 wrote to memory of 772 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 772 wrote to memory of 1952 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 772 wrote to memory of 1952 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 772 wrote to memory of 1952 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe
PID 772 wrote to memory of 1952 N/A C:\Windows\SysWOW64\tsqla.exe C:\Windows\SysWOW64\tsqla.exe

Processes

C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 476 "C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 532 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 540 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 528 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 548 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 536 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 544 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 552 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 556 "C:\Windows\SysWOW64\tsqla.exe"

C:\Windows\SysWOW64\tsqla.exe

C:\Windows\system32\tsqla.exe 560 "C:\Windows\SysWOW64\tsqla.exe"

Network

N/A

Files

\Windows\SysWOW64\tsqla.exe

MD5 248cfdc361e286512672f16d7b03f521
SHA1 999cd546eb7e603b2cabe4f84a4123af619a4c3d
SHA256 15b2496713a364dfe33f4517216d70fa26e90d505a2fd00a231955f7fa0af001
SHA512 6d462dd93597654978f30aea0805363cdaf0912efa13b484ece8ea0a6ac5d49038577ab5feb3951d410f7e75688faa6ae7c8272a81a8af5c824cce0ef0f2f1ad

memory/1924-11-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/3040-12-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/2716-17-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/2588-22-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/2692-27-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/1716-32-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/1896-37-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/1444-42-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/1056-47-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/772-52-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/1952-57-0x0000000000400000-0x0000000000A12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 03:58

Reported

2024-07-04 04:01

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\248cfdc361e286512672f16d7b03f521_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 264

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4540-0-0x0000000000400000-0x0000000000A12000-memory.dmp