Overview
overview
9Static
static
91a7e7c3045...18.exe
windows7-x64
61a7e7c3045...18.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
1$PLUGINSDI...ll.dll
windows10-2004-x64
1$PLUGINSDI...cs.exe
windows7-x64
1$PLUGINSDI...cs.exe
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/QQLi...ex.exe
windows7-x64
3$TEMP/QQLi...ex.exe
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3ADManage.dll
windows7-x64
7ADManage.dll
windows10-2004-x64
7ATL80.dll
windows7-x64
1ATL80.dll
windows10-2004-x64
1AsyncTask.dll
windows7-x64
3AsyncTask.dll
windows10-2004-x64
3BugReporter.exe
windows7-x64
1BugReporter.exe
windows10-2004-x64
1CefSubProcess.dll
windows7-x64
3CefSubProcess.dll
windows10-2004-x64
3ChannelMgr.dll
windows7-x64
7ChannelMgr.dll
windows10-2004-x64
7Common.dll
windows7-x64
1Common.dll
windows10-2004-x64
1D3DX9_43.dll
windows7-x64
1D3DX9_43.dll
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 03:13
Behavioral task
behavioral1
Sample
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallHelper.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallHelper.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/ProcDll.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/ProcDll.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/Statistics.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/Statistics.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
$TEMP/QQLive/QQLiveSetupex.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
$TEMP/QQLive/QQLiveSetupex.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/ExProcDLL.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/ExProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
ADManage.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
ADManage.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
ATL80.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
ATL80.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral21
Sample
AsyncTask.dll
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
AsyncTask.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
BugReporter.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
BugReporter.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
CefSubProcess.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
CefSubProcess.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
ChannelMgr.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
ChannelMgr.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral29
Sample
Common.dll
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
Common.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
D3DX9_43.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
D3DX9_43.dll
Resource
win10v2004-20240419-en
General
-
Target
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe
-
Size
31.9MB
-
MD5
1a7e7c30455fe01bb74cc1beac9c20c1
-
SHA1
f019ba09eba872bf9c7713612caae114ba060eb8
-
SHA256
80d28b14d2172c2a3a76a718b604d120ff2a8e80424d68790afbe0bd267ee064
-
SHA512
c80f096cf8422d2d47a59e1dc2d150542f87c6167b8701a77fa43ca9e240ec85bc5485ee5f56efe3ffd27debe6ec0d7aafe064df3598845638f6444116895114
-
SSDEEP
786432:dbf97HMYUtdEXaSNFqZNVg2G0TzsVGYptBI+xpF7:dLZsRPEKS7sUw/sVGY3B1xpZ
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Statistics.exepid process 2516 Statistics.exe -
Loads dropped DLL 5 IoCs
Processes:
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exepid process 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qqlive 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qqlive\ = "1" 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exepid process 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exedescription pid process target process PID 2192 wrote to memory of 2516 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe Statistics.exe PID 2192 wrote to memory of 2516 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe Statistics.exe PID 2192 wrote to memory of 2516 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe Statistics.exe PID 2192 wrote to memory of 2516 2192 1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe Statistics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\nsd15E3.tmp\Statistics.exe"C:\Users\Admin\AppData\Local\Temp\nsd15E3.tmp\Statistics.exe" cmd=2567&ctype=1&itype=11&ver=9.12.1296.0&str1=F2741BBBBECDA604E457B301A90B3CBD&str2=channel1&vid=&url=1a7e7c30455fe01bb74cc1beac9c20c1_JaffaCakes118.exe2⤵
- Executes dropped EXE
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c3cddafea6c6fa8dd2f23f9a6e18dd98
SHA1d50fca37045eaa24f87fe295b78b3269e12f7f67
SHA256c1be0784d3a780ccaf5ddb89ec657cac39b14b37c617d843f9e666793e4d8b41
SHA512c44c3d45eb6b59bac77e93e73ccf3b69edf1a51c07ad987d2a1ea6f4c0a3d4395325f905a2f4ff5906143be7b94ed8acf2c45afeffb39710f9d35edffdf5e1d8
-
Filesize
308KB
MD5b5cf41119267aa29d51cd0bb2027c1aa
SHA1bb1251b652806fff5c093cbbcefb8f62eac4a3ae
SHA2565328a65448499a882cced9487db3e989384b9e2bcb65873095cfa45bb99be752
SHA51241334a29d982eb99a0811ae942d057ffbaeb6cc7ce84d2b7d1276b2b26b4e0aed084b9dc75e5f2deebd04555eebded11c577afc911c332a5b7a53f457e2dd090
-
Filesize
1000KB
MD5889686a649b80f6025f246ea6e778021
SHA14ca2cb0117dd6fd63dc197707970efb19144ed56
SHA2568a0ebf941c15a69c9a7978aa8b17700dbcf0790768c372cbb16cc8e64611b54d
SHA512ea78a522e046166666989f7b41cce14cc96ea0156277ffe45c77b5190ad90236e107f725e063552177bb5225f4cbef064363256a7e90e58d617e8653e1a9bf2f
-
Filesize
268KB
MD58cd1ca96e2d6202be5d19fcefa35bbb9
SHA187f363b889b6ddf7cce6f7de981a36e5d600909c
SHA25649cd107a52f0c7a7ea546ae1795b7044628361dcf6884b4a57f4c6e1fda109c5
SHA512239a7549c596c6b9f670b38eda1bafa2cb62db46deab53ab20afcc01f85481766744c3578230d13d82e5eaa7c40104555bb4fb85d7d22b02a9cd426162bb5144
-
Filesize
18KB
MD592fc9e50e8511609257cb59f633f13d6
SHA1f95f0df12deb5dc4b281732d983bb2c103c17b56
SHA256953ba87a30cbe067408e75bba9fe750c0e60270607aba1ec953bd730c337fe3b
SHA512fe4a4d3e6ba6ae0bb2194f7667443dd5be591ef2e9b1f792d80d7ed3ad1685858dbb856548f01d5a73e80cd9cdb144f24f4d517f8f91b2eb376606c325041093