Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 20:03

General

  • Target

    070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    070a6e2ee81e6a9d3aa7f6e64b7c0915

  • SHA1

    6e04b2c65729f1e50edfbc8fa7fefcf445bfe233

  • SHA256

    9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15

  • SHA512

    018714d13246032d4d9741e1da5e8a6f2ec8ed09d63f10029c3c2cf0215e13c0592298195fc4657696a7f17abdbf4e8e8baf27e33f1b4271884641fb6d68704e

  • SSDEEP

    6144:K11jsU5B0b7GmO7MOpi5RZwRNhtpp9ONDnGPzGNi6:e1XB0b7GmO7MOpi5RZwRNhtpp9ONDnGN

Malware Config

Signatures

  • Drops startup file 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2452
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2964
    • C:\Windows\hot.exe
      C:\Windows\hot.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files (x86)\Internet Explorer\iexlore.exe"
        3⤵
        • Drops file in Program Files directory
        PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"
        3⤵
        • Drops file in Program Files directory
        PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"
        3⤵
        • Drops file in Program Files directory
        PID:2728
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 0
        3⤵
        • Loads dropped DLL
        PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"
        3⤵
        • Drops file in Windows directory
        PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\system32\reg.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\system32\reg.reg
        3⤵
        • Installs/modifies Browser Helper Object
        • Runs .reg file with regedit
        PID:2712
    • C:\Windows\SysWOW64\qq.exe
      C:\Windows\system32\qq.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\SysWOW64\del.bat
        3⤵
          PID:1180
          • \??\c:\windows\s\smss.exe
            "c:\windows\s\smss.exe"
            4⤵
            • Executes dropped EXE
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1608
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f
              5⤵
              • Adds Run key to start application
              PID:2016
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 0
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1976
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\XUNLEI.DLL"
        2⤵
        • Modifies registry class
        PID:292
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 0
        2⤵
        • Drops file in Windows directory
        PID:2464
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL
          3⤵
          • Modifies registry class
          PID:2284
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg
          3⤵
          • Installs/modifies Browser Helper Object
          • Runs .reg file with regedit
          PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\tj[1].js

      Filesize

      520B

      MD5

      52bc1705043251299cd4b4e71bde9a59

      SHA1

      489d2a67263f969618c2a85caaa488887a9c8747

      SHA256

      465987a7ecbd938a8648bb9aac3871b33db724ba23f35da6e95f6c4c0dd52189

      SHA512

      0bbb43d576ac5b6694107cf37202172407a75e8f88c7ae423704f90b7346eae1de9ed64fdf2d6b15d9db73d140bc4667709d986fd41e5554e330f906cac59969

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\common[1].js

      Filesize

      1KB

      MD5

      3fe851c08d4a64733c249b3aef00dd3c

      SHA1

      dfd9e1bacb53fef86b9dc40244bd6edecdfae636

      SHA256

      2adc9f8d62d1550b4b8aac988f5ef4eb55bcdd48b569fac7251169366a40fb37

      SHA512

      50aa265a3dd0a111061447ca7508be27a01cb1eca9f553c8b5609b2434461322500586261708bf8dbd135f287282a7be64963604f6239104c334f8464be77bec

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe

      Filesize

      1KB

      MD5

      ac426679bceba77a1d2d9f2755387f37

      SHA1

      9ca63a59a805799bb92dbb1500970408ef918ae5

      SHA256

      090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8

      SHA512

      5fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe

      Filesize

      2KB

      MD5

      32ad14609ab972a8063fca62fef35295

      SHA1

      67fa67b824671ffb35418f30863607fc0a5f2a59

      SHA256

      f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca

      SHA512

      7bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c

    • C:\Windows\StrongIndex.reg

      Filesize

      1KB

      MD5

      3840df4f59fc8472804d6534ee47c86f

      SHA1

      cb5df88f2a661c72edcdf8461e95e5ae7aa529d3

      SHA256

      fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166

      SHA512

      c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28

    • C:\Windows\SysWOW64\del.bat

      Filesize

      104B

      MD5

      84058ffb298449cd911b8ed3e382352e

      SHA1

      8a7a77f0dae04c4e7fc850bc50a749135feb4c78

      SHA256

      f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c

      SHA512

      fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf

    • C:\Windows\SysWOW64\reg.reg

      Filesize

      185B

      MD5

      06384c898003bd123646056e835eb171

      SHA1

      92906b2a8c0112c29374352644871873de00208a

      SHA256

      1a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304

      SHA512

      a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59

    • C:\Windows\XUNLEI.DLL

      Filesize

      28KB

      MD5

      7b339e9e67773d0622ef801afbd28b8d

      SHA1

      6c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12

      SHA256

      b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747

      SHA512

      cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb

    • C:\Windows\bhoreg.reg

      Filesize

      173B

      MD5

      5445be71fa6b294bbbc40f3025197a45

      SHA1

      2b67ceef71dfb405424d91ca21d864a300ef2fec

      SHA256

      e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97

      SHA512

      481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff

    • C:\Windows\hot.exe

      Filesize

      56KB

      MD5

      e87bd49ad0363b5112570021264e88ce

      SHA1

      6b879a50ab9528f863870d319a0b1d66ec5f1b36

      SHA256

      a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69

      SHA512

      64a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826

    • C:\Windows\updateLnk.vbe

      Filesize

      4KB

      MD5

      5bf80e38e5312144f5a3f637bff1adfd

      SHA1

      62de872c490ee580a5d6a8b77276a0b0b7c82438

      SHA256

      e7e01513bcab6a0b6c6191138d53fe680ef8790239471cee7a398060259e2174

      SHA512

      5489967a469bfd4033b4cce86343bb5d075f39be496d2e83ac67b5e7e293d577e4c325f4d0230a5aa2e2a5af526584003d12e27e1b302462630db2e867c0a634

    • \Windows\SysWOW64\qq.exe

      Filesize

      84KB

      MD5

      1222247a98269a3f305840c7cccd8d02

      SHA1

      8aba585b8c9d7737b411c5ef008513c6bc3fe222

      SHA256

      5e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b

      SHA512

      ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a

    • memory/1608-90-0x0000000004B50000-0x0000000005BB2000-memory.dmp

      Filesize

      16.4MB

    • memory/2100-98-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2100-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2924-56-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB