Overview

overview

7

Static

static

3

264b27b9ac...18.exe

windows7-x64

7

264b27b9ac...18.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

pluginsetupadmin.exe

windows7-x64

4

pluginsetupadmin.exe

windows10-2004-x64

4

sz.exe

windows7-x64

1

sz.exe

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    264b27b9ac7ac6874e50d073638930b5_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    264b27b9ac7ac6874e50d073638930b5

  • SHA1

    4e2b68ab76ea8afaa6ef03dde72ab1ad5fd1f265

  • SHA256

    b5476446d4f5ac386bdd94987323ed71f70de54016ba19ce31e6e46b43e267ce

  • SHA512

    8f78943b1526f29c26f8f34571eb40b0fa9396d02876e76a7c6311340f0a7ee2826890a1cfb5f0aa0077d2726ef1458b16de33cdc55706df09a8ee95bdd9702d

  • SSDEEP

    49152:kO0e40QOdfZ7B1OHZYlLjqyJkUs75Naw4O5:kO0Z0QIfH1SM/qkkVbd4O5

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\264b27b9ac7ac6874e50d073638930b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\264b27b9ac7ac6874e50d073638930b5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe
      "C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe" /setupsucc
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2660
    • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe
      "C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe" /autorun /setuprun
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1480
    • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\pluginsetupadmin.exe
      "C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\pluginsetupadmin.exe" /S
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:1280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\JuleGame\jlgplayer\npjlgplayer3.dll
    Filesize

    793KB

    MD5

    eb9729ce37dff44821fc35f71dea8fa0

    SHA1

    2cf8d4d6b9bad91e9ec26c746fa011b9e97387b1

    SHA256

    e2dd0098bfe73f5ae6f407a03a11df39baed75e29fcdc67413bbbc6819a1c4a5

    SHA512

    79e1fd84b4e61a1e20188f4c8d40b1363e0ea5dcbb840e4dbbe8463f0f8c1321c2b6c66f32498e3dbdc8c4ffe95a10659cba16eed445c8113183e9bfb1fb9839

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\lander.ini
    Filesize

    374B

    MD5

    65a50e1fcd4fa1371791e26c4195bced

    SHA1

    fc04e9674aee95827e8b1fbfc230e280c8ecfa52

    SHA256

    2fbf7507afd3c3c120fd4a5801f3adfcfe1a57b2e3c00f41799bcbac4236a02d

    SHA512

    b73c3560fc55b358278d52a8fe105034649ced419dfb9217d8455b56fc2e34f62a8d6d50e2406305e42f05a71332f0cb611937086b37ce051d6433020431e17c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\pluginsetupadmin.exe
    Filesize

    461KB

    MD5

    87daf3658c6aa863444532f1f324cca1

    SHA1

    c0caa342fcbde6a0c6b1566e71bc051117a7c40b

    SHA256

    c007fefe59aa783e7ea677a6275f87b9675f750a8e31a67c8325440308eed90a

    SHA512

    050b10619e355fe16fc23bf83b7b38a5237adb80e406d79653c029182bf33a40c3717a12f80ce1e024e2afee305421b3f3947d38a833169576e1c3d0a9ebc551

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe
    Filesize

    512KB

    MD5

    dc76537739480187a51475b137a96572

    SHA1

    34d097cf5e3f0d4a422f70e09bb81e988fa6adb9

    SHA256

    07b49f9565b8aff1bb71699ed63b6574289779215fb5c2aa54b4f2d6c21a2f5e

    SHA512

    afd3896ea65847f173f99538183d8c6e434d9b3f28c3e595af4145464b02449bbb9a5336ffd1c5ae8ea321bc87980298e80a9b82d488e09c00aeadd1541ba959

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe
    Filesize

    1.2MB

    MD5

    5fd84590e2e1358a8e51fb76b1b3d721

    SHA1

    eea0902b66e1082a5ba9a1ad7c4bcd3fb5d53154

    SHA256

    bcc516b915a8826ef12689e455d0b1afaa7ad1eae534729eb43e6639a95992f6

    SHA512

    3e9de52d11522b5115d30b51a6cf5b43e28df27432e7d0aa0eeecd0648ab1d3622b30f921bbed011681ba7c286d71053486bb0b6949103b69adab1cc4e5e1281

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2345游戏\sz\Lander.ini
    Filesize

    105B

    MD5

    f677bcc35ca5b71636740932c8310d57

    SHA1

    3c11efe096c0280f3a19f9f1b60c5560449453f5

    SHA256

    7612f7c2be199d78dee986475d1dc391afce3b3b2625f196892475287dc643e0

    SHA512

    77cedaebe2e93a11291123d513d0133c964aa0f47eab192fa55f28d278be3ccc4305e259909d4e7e50c06b610ff74f3478f1028a77860b9bebdf82716d2dd2f3

    Download Submit

  • \Users\Admin\AppData\Local\JuleGame\jlgplayer\npjlgplayer3.dll
    Filesize

    448KB

    MD5

    f57f2e5e228ebf5267412172bed99dd7

    SHA1

    2c26c695bd6e746917571d8acbbf146bf59d96e5

    SHA256

    e23c2bbbd1b377d44a13678a25de985d300bd7d6e751aa14735b3186ff5b9eb8

    SHA512

    1f6a6709a01a92bde4ab846ebb2524f4feeff83e33019c3cc037e6af99335f3eafbbd3beb8c25c52397f3334bbda8e011b38445425cce01f2e4aa3edffcbbda5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso560.tmp\FindProcDLL.dll
    Filesize

    3KB

    MD5

    8614c450637267afacad1645e23ba24a

    SHA1

    e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

    SHA256

    0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

    SHA512

    af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso560.tmp\System.dll
    Filesize

    10KB

    MD5

    56a321bd011112ec5d8a32b2f6fd3231

    SHA1

    df20e3a35a1636de64df5290ae5e4e7572447f78

    SHA256

    bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

    SHA512

    5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

    Download Submit

  • \Users\Admin\AppData\Roaming\2345ÓÎÏ·\sz\sz.exe
    Filesize

    448KB

    MD5

    a1cbdcee6f0f3842569643197cf28fd1

    SHA1

    94e52a96b209a0d76c879144300ff7e3d11146eb

    SHA256

    22c0f3fe4a76fb8efae4fb2695123572eae51ea30ba8fe94df755704e62348df

    SHA512

    332cce9c01a1bb09197ade949d773afc194b2dc6b73505bea4a8bcfa9aa3affa436479a77f1a0f9bf23a33a425e891fea8f28900cd6eb1560159f2762c9c9c2c

    Download Submit

  • memory/2364-50-0x00000000004F1000-0x00000000004F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-13-0x00000000004F1000-0x00000000004F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-43-0x00000000004F0000-0x00000000004F3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2364-44-0x00000000004F1000-0x00000000004F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-12-0x00000000004F0000-0x00000000004F3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2364-62-0x00000000004F1000-0x00000000004F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-61-0x00000000004F0000-0x00000000004F3000-memory.dmp

    Filesize

    12KB

    Download