Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 12:36

General

  • Target

    a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe

  • Size

    61.7MB

  • MD5

    a0b09b0e6609f89c60d6848a662b83a9

  • SHA1

    aa84027dd3a4abc18eb873a8a0ed8c61223a73a9

  • SHA256

    10d3d7b584624563fae525b258a3115c8eff08e00758012f47db7c92f8a96e2e

  • SHA512

    daebf105c19b31546f7f1d7010e494dce18402d03b51b7a45765c4d4c148482bed9bd750e3772f57335b258584561815f8019b4340492ce3164273f74c6fc935

  • SSDEEP

    1572864:laPSWm+A1hwBzyDAGZS2Z7JSXDu+ZXVbiBPNA0wAv:l9Wm+i24AeZZ7ydEBlA0wc

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe
      "C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe" 1244 nosilent
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:1524
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\HummerSetup.dll
    Filesize

    1.2MB

    MD5

    0061076b19ac1d3e63578d4ffe92ae65

    SHA1

    047d742bf3e312f65fca4728287f98ca7fa19c31

    SHA256

    58bec01266aa5f53aae52293138140e06e5cf956c0c680757e69b6b34ace416b

    SHA512

    8cf340c1a2350b6a46fc033eb969dbf900550b6009fece746a8991f321435fa3c7dd2b3204898dc8609447a8fa05eacbcadf939501395c4b38ed1d0573b60c2f

  • C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQPCDetector.dll
    Filesize

    721KB

    MD5

    fe90262e8b9677694ae9f9095fccb7a3

    SHA1

    0922135dbaf9824014800e13a912a69bde733723

    SHA256

    f7cc3aa92edd7066dd83573d4a33725f329051a820fce83350220f8632d49cb1

    SHA512

    c6a0c1a94c9d9d017b3f5342cadf7e5e33bd1abaac1b2f4f8cdc5a0b98c531cf86a5795aee8c22df340347a425a97209aa55e88a2642ec5cefce4547e586293e

  • C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe
    Filesize

    448KB

    MD5

    79d160fc002214110de9089a791094e8

    SHA1

    a3885ee6b0005f4ff2070794e24afc6a835cd1d2

    SHA256

    5f699fe1c1079ce2b24c2d64e9b8ff41c58a65e8171415a7b5df8039334d2b66

    SHA512

    9ed4f44a2ffe0694683058bdbea0f481fdc4ac246b8996b9895f8531bc4581b1682de54740d616840bb50e5e720d1e4b692234d3ec644ca727fc431dc806b5e9

  • C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\dlcore.dll
    Filesize

    2.1MB

    MD5

    034f82a601af1ab10d64af95a23dd8c3

    SHA1

    3dd5ff8217bf601b153d87e97a434ed2f14bdf71

    SHA256

    60305b6766970768cb81e75bb8af5e74c9c6b6d55ef747f3c441b68211110d53

    SHA512

    1ee4f9fc8026da1729b7e3c1be6201e7be7c68a85b4adfee9337df73eddb297a06043bfff8834afdf29910d0d942aaba3d7ccd28d6915d075c292ed1932d0913

  • C:\Windows\k93UtF3P55Ac6.dat
    Filesize

    155KB

    MD5

    c6d182150ec67b517d803d75e6e48fb4

    SHA1

    983200fcf5dcf4b922701d0c6d47a9f18a530bb5

    SHA256

    0cb32302dd006cd923839584396cf392a502769c9374556c2e88ab2b926740bc

    SHA512

    e4654b2de9650b48991011fb49aff08d4253eb300e807a5b19a1f1067dc086f2336e31ee4dadfe0ac6b42b851a934bcb3c172d6a827d865e44206c3f49f22b32

  • memory/1524-95-0x0000000004DD0000-0x0000000004E2C000-memory.dmp
    Filesize

    368KB

  • memory/1524-34-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB

  • memory/1524-43-0x0000000004DD0000-0x0000000004E2C000-memory.dmp
    Filesize

    368KB

  • memory/1524-24-0x0000000004730000-0x00000000047E5000-memory.dmp
    Filesize

    724KB

  • memory/1524-94-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB

  • memory/1524-98-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB

  • memory/1524-99-0x0000000004DD0000-0x0000000004E2C000-memory.dmp
    Filesize

    368KB

  • memory/1524-111-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB

  • memory/1524-114-0x0000000004DD0000-0x0000000004E2C000-memory.dmp
    Filesize

    368KB

  • memory/1524-113-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB

  • memory/1524-126-0x0000000004850000-0x00000000048AC000-memory.dmp
    Filesize

    368KB