Analysis

  • max time kernel
    141s
  • max time network
    75s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 06:38

General

  • Target

    070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    070a6e2ee81e6a9d3aa7f6e64b7c0915

  • SHA1

    6e04b2c65729f1e50edfbc8fa7fefcf445bfe233

  • SHA256

    9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15

  • SHA512

    018714d13246032d4d9741e1da5e8a6f2ec8ed09d63f10029c3c2cf0215e13c0592298195fc4657696a7f17abdbf4e8e8baf27e33f1b4271884641fb6d68704e

  • SSDEEP

    6144:K11jsU5B0b7GmO7MOpi5RZwRNhtpp9ONDnGPzGNi6:e1XB0b7GmO7MOpi5RZwRNhtpp9ONDnGN

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:1988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:3292
    • C:\Windows\hot.exe
      C:\Windows\hot.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Internet Explorer\iexlore.exe"
        3⤵
        • Drops file in Program Files directory
        PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"
        3⤵
        • Drops file in Program Files directory
        PID:4624
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"
        3⤵
        • Drops file in Program Files directory
        PID:664
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 0
        3⤵
          PID:4112
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"
          3⤵
          • Drops file in Windows directory
          PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c regedit.exe /s C:\Windows\system32\reg.reg
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\regedit.exe
          regedit.exe /s C:\Windows\system32\reg.reg
          3⤵
          • Installs/modifies Browser Helper Object
          • Runs .reg file with regedit
          PID:1960
      • C:\Windows\SysWOW64\qq.exe
        C:\Windows\system32\qq.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\del.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4424
          • \??\c:\windows\s\smss.exe
            "c:\windows\s\smss.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f
              5⤵
              • Adds Run key to start application
              PID:1036
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 0
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2868
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\XUNLEI.DLL"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:4704
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 0
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:372
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3780
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg
          3⤵
          • Installs/modifies Browser Helper Object
          • Runs .reg file with regedit
          PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe

      Filesize

      1KB

      MD5

      ac426679bceba77a1d2d9f2755387f37

      SHA1

      9ca63a59a805799bb92dbb1500970408ef918ae5

      SHA256

      090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8

      SHA512

      5fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe

      Filesize

      2KB

      MD5

      32ad14609ab972a8063fca62fef35295

      SHA1

      67fa67b824671ffb35418f30863607fc0a5f2a59

      SHA256

      f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca

      SHA512

      7bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c

    • C:\Windows\StrongIndex.reg

      Filesize

      1KB

      MD5

      3840df4f59fc8472804d6534ee47c86f

      SHA1

      cb5df88f2a661c72edcdf8461e95e5ae7aa529d3

      SHA256

      fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166

      SHA512

      c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28

    • C:\Windows\SysWOW64\del.bat

      Filesize

      104B

      MD5

      84058ffb298449cd911b8ed3e382352e

      SHA1

      8a7a77f0dae04c4e7fc850bc50a749135feb4c78

      SHA256

      f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c

      SHA512

      fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf

    • C:\Windows\SysWOW64\qq.exe

      Filesize

      84KB

      MD5

      1222247a98269a3f305840c7cccd8d02

      SHA1

      8aba585b8c9d7737b411c5ef008513c6bc3fe222

      SHA256

      5e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b

      SHA512

      ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a

    • C:\Windows\SysWOW64\reg.reg

      Filesize

      185B

      MD5

      06384c898003bd123646056e835eb171

      SHA1

      92906b2a8c0112c29374352644871873de00208a

      SHA256

      1a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304

      SHA512

      a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59

    • C:\Windows\XUNLEI.DLL

      Filesize

      28KB

      MD5

      7b339e9e67773d0622ef801afbd28b8d

      SHA1

      6c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12

      SHA256

      b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747

      SHA512

      cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb

    • C:\Windows\bhoreg.reg

      Filesize

      173B

      MD5

      5445be71fa6b294bbbc40f3025197a45

      SHA1

      2b67ceef71dfb405424d91ca21d864a300ef2fec

      SHA256

      e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97

      SHA512

      481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff

    • C:\Windows\hot.exe

      Filesize

      56KB

      MD5

      e87bd49ad0363b5112570021264e88ce

      SHA1

      6b879a50ab9528f863870d319a0b1d66ec5f1b36

      SHA256

      a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69

      SHA512

      64a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826

    • C:\Windows\updateLnk.vbe

      Filesize

      4KB

      MD5

      e8636c3313b44fd3012050a201114200

      SHA1

      8511dd23b85cf9b356235771cbd4302f449f4a08

      SHA256

      87851c5b11f3cd1f894c4a47b9a787cfb2b18c8934d86047a5901c81a4215e34

      SHA512

      54d156a85068e5e621147b100ec45f579e74ddd5d7e5f39a71b687a255a953563a2eda33a3b5c77bc8f428e62b3a68e3581b0bb68a1658dcac456c3e66863f3a

    • memory/864-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/864-73-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2512-37-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB