Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 20:03

General

  • Target

    070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    070a6e2ee81e6a9d3aa7f6e64b7c0915

  • SHA1

    6e04b2c65729f1e50edfbc8fa7fefcf445bfe233

  • SHA256

    9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15

  • SHA512

    018714d13246032d4d9741e1da5e8a6f2ec8ed09d63f10029c3c2cf0215e13c0592298195fc4657696a7f17abdbf4e8e8baf27e33f1b4271884641fb6d68704e

  • SSDEEP

    6144:K11jsU5B0b7GmO7MOpi5RZwRNhtpp9ONDnGPzGNi6:e1XB0b7GmO7MOpi5RZwRNhtpp9ONDnGN

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2356
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:3464
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\StrongIndex.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\StrongIndex.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:3236
    • C:\Windows\hot.exe
      C:\Windows\hot.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Internet Explorer\iexlore.exe"
        3⤵
        • Drops file in Program Files directory
        PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"
        3⤵
        • Drops file in Program Files directory
        PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"
        3⤵
        • Drops file in Program Files directory
        PID:1800
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 0
        3⤵
          PID:4968
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"
          3⤵
          • Drops file in Windows directory
          PID:3384
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c regedit.exe /s C:\Windows\system32\reg.reg
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Windows\SysWOW64\regedit.exe
          regedit.exe /s C:\Windows\system32\reg.reg
          3⤵
          • Installs/modifies Browser Helper Object
          • Runs .reg file with regedit
          PID:2200
      • C:\Windows\SysWOW64\qq.exe
        C:\Windows\system32\qq.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\del.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3192
          • \??\c:\windows\s\smss.exe
            "c:\windows\s\smss.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f
              5⤵
              • Adds Run key to start application
              PID:5080
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 0
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4716
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\XUNLEI.DLL"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:5060
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 0
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1456
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg
          3⤵
          • Installs/modifies Browser Helper Object
          • Runs .reg file with regedit
          PID:1600
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1612 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1860

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe

        Filesize

        1KB

        MD5

        ac426679bceba77a1d2d9f2755387f37

        SHA1

        9ca63a59a805799bb92dbb1500970408ef918ae5

        SHA256

        090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8

        SHA512

        5fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe

        Filesize

        2KB

        MD5

        32ad14609ab972a8063fca62fef35295

        SHA1

        67fa67b824671ffb35418f30863607fc0a5f2a59

        SHA256

        f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca

        SHA512

        7bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c

      • C:\Windows\StrongIndex.reg

        Filesize

        1KB

        MD5

        3840df4f59fc8472804d6534ee47c86f

        SHA1

        cb5df88f2a661c72edcdf8461e95e5ae7aa529d3

        SHA256

        fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166

        SHA512

        c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28

      • C:\Windows\SysWOW64\del.bat

        Filesize

        104B

        MD5

        84058ffb298449cd911b8ed3e382352e

        SHA1

        8a7a77f0dae04c4e7fc850bc50a749135feb4c78

        SHA256

        f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c

        SHA512

        fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf

      • C:\Windows\SysWOW64\qq.exe

        Filesize

        84KB

        MD5

        1222247a98269a3f305840c7cccd8d02

        SHA1

        8aba585b8c9d7737b411c5ef008513c6bc3fe222

        SHA256

        5e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b

        SHA512

        ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a

      • C:\Windows\SysWOW64\reg.reg

        Filesize

        185B

        MD5

        06384c898003bd123646056e835eb171

        SHA1

        92906b2a8c0112c29374352644871873de00208a

        SHA256

        1a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304

        SHA512

        a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59

      • C:\Windows\XUNLEI.DLL

        Filesize

        28KB

        MD5

        7b339e9e67773d0622ef801afbd28b8d

        SHA1

        6c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12

        SHA256

        b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747

        SHA512

        cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb

      • C:\Windows\bhoreg.reg

        Filesize

        173B

        MD5

        5445be71fa6b294bbbc40f3025197a45

        SHA1

        2b67ceef71dfb405424d91ca21d864a300ef2fec

        SHA256

        e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97

        SHA512

        481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff

      • C:\Windows\hot.exe

        Filesize

        56KB

        MD5

        e87bd49ad0363b5112570021264e88ce

        SHA1

        6b879a50ab9528f863870d319a0b1d66ec5f1b36

        SHA256

        a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69

        SHA512

        64a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826

      • C:\Windows\updateLnk.vbe

        Filesize

        4KB

        MD5

        e8636c3313b44fd3012050a201114200

        SHA1

        8511dd23b85cf9b356235771cbd4302f449f4a08

        SHA256

        87851c5b11f3cd1f894c4a47b9a787cfb2b18c8934d86047a5901c81a4215e34

        SHA512

        54d156a85068e5e621147b100ec45f579e74ddd5d7e5f39a71b687a255a953563a2eda33a3b5c77bc8f428e62b3a68e3581b0bb68a1658dcac456c3e66863f3a

      • memory/656-0-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

      • memory/656-81-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

      • memory/4056-42-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB