Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 23:40

General

  • Target

    ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    ac0bf74c05127212f2800825bf73af08

  • SHA1

    bb7fe3dc76356a717ede736bbf3490c07a9a42ba

  • SHA256

    860befc00c41c533fa7c9011a0f5d1df1120724188050b67b088b1d7e06349e3

  • SHA512

    7dc15cef913690cca3c5aacf9616daec22d5b20a093abeb63acd2d3bb62cf1f9d2a7ad4a40700109f8763923a1176b786b43d208204d70cd04f345f2a9a119db

  • SSDEEP

    49152:2uuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:4E7AqrlyutLxC3sEwwMd

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 54 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      "C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2720
    • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
      "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-IR5IpbEw6j9YpS1Wc4Ved3WXa85rh1XgyheSu4KSc873XX-0eLlV_4175qK_X1cC089g3UvQT4HFgXJ8-dW6Zyh6i63LXZxGM0W2Wqaimckia18juZWspKniF5_tMpLpMTV9OOG3TDj5uSN8GNMfht-hhfyrotZuymqeXTs4DKsqrgKv2NitWRKqRFCy2Uw-s.%26pcid%3D-1577129102750396778%26fr%3Dxiazai%26source%3Dtencent%26filename%3DTHS_qqguanjia_9.10.20.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F1402_48_1626246961.png&softname=%E5%90%8C%E8%8A%B1%E9%A1%BA+%E5%85%8D%E8%B4%B9%E7%89%88&softsize=148.36MB
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
        "C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe" /Update
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll"
          4⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:1732
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\system32\regsvr32.exe
            /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"
            5⤵
            • Loads dropped DLL
            • Registers COM server for autorun
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:2320
        • C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
          "C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
            "C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe" MiniThunderPlatform2024-06-1423:42:38 "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1776
        • C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
          "C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Install
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2356
      • C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe
        "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe" -StartTP
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        PID:1352
  • C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe
    "C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Service
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll
    Filesize

    272KB

    MD5

    c97af614b96b1d7adeed67261b3771c0

    SHA1

    f67f94dff7a78953d4a9a6af63d30fc7dfe40a8e

    SHA256

    98f283754465cae416af646c9c68e4c1a60eea088616bb5a265cfdd9c896b1b8

    SHA512

    972cee7e0fe258ec1d62cbe7b077380010a5ab4a02c24791d23e10047f5d2a16e847b2a33bde9f7b27e6a59483f61371d98186281ef40a3a370629f546f6d322

  • C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll
    Filesize

    315KB

    MD5

    b256f88501223e358c03ea2a172e0f7f

    SHA1

    9ee8c5b3db6d7076742c488b001a76741fc3aefe

    SHA256

    2fc446c8fdb3ad5711e6e83c720379062accd40cf9203c6e484eea83faecb840

    SHA512

    10f9d2bcf55d2241cb92dea7b1f7833f7d2536e93c7906d3c483df25f8515f24bd3fa57659f8972b888cf57457ae5bd5a9f564e9326278ddc66ed7201e52d19e

  • C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\MySoftwareManager.xml
    Filesize

    23KB

    MD5

    f5f5698ee6b73535a7a55ffc9df6f38f

    SHA1

    76b4f170b339481149f72a7294218ad7ea5f9ecd

    SHA256

    613125461abb68bf1535c2b28d3cbf1efc3fe04484acdb89c0e961296837f1ec

    SHA512

    5c83a38a0a0639bada0666592bcd73754e3f161b52ffcb14f066ce11ddac2f818de39ac5a36ebe3d026c202d087fcd1284d6fd5b65d38a112c6c1647274a3bc1

  • C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\format
    Filesize

    2B

    MD5

    c30f7472766d25af1dc80b3ffc9a58c7

    SHA1

    136571b41aa14adc10c5f3c987d43c02c8f5d498

    SHA256

    aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8

    SHA512

    0354672b288ac5ccd92c7336f24c3b5a9e669d95bf3036241d3919bae5aadba2c312742d7b422cb04347d6ce98151019baf81a3390e12de140365f17a9cf9afc

  • C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
    Filesize

    232KB

    MD5

    0bc2d003fcfe3fa65f4c3ba7a015fa41

    SHA1

    72ed85bc1c57259b4f2ed36d16ce3fed4e30607c

    SHA256

    388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b

    SHA512

    ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24

  • C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll
    Filesize

    450KB

    MD5

    b1ce2dba9515e144908aa34ac77f5a46

    SHA1

    0a3e601eeba273a16d815c5e59793eb73db9daad

    SHA256

    5a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f

    SHA512

    d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a

  • C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base
    Filesize

    53B

    MD5

    113136892f2137aa0116093a524ade0b

    SHA1

    a0284943f8ddfe69ceec90833e66d96bdf4a97f0

    SHA256

    ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02

    SHA512

    d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99

  • C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe
    Filesize

    58KB

    MD5

    58bb62e88687791ad2ea5d8d6e3fe18b

    SHA1

    0ffb029064741d10c9cf3f629202aa97167883de

    SHA256

    f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

    SHA512

    cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

  • C:\Program Files (x86)\SogouSoftware\manifest.cfg
    Filesize

    29B

    MD5

    dbdddb37dffafd829b9dddd86c8cbf57

    SHA1

    4fd1a652c7bfe2eb39e98a795cd77bc415b13d07

    SHA256

    e661aadd4b5793e960bebdb4862589720b757d7f2c9849c73a9490c162830466

    SHA512

    f1883accc58a7098f9b15a1a7225e7ef0e2ce3175dde6f5b2851c63654ee02919db734e41b45e74f998ba4c5e4f1fdc96abb5546a7fa1b02cc32ffe7d0c5fe36

  • C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe
    Filesize

    11.9MB

    MD5

    1ea611695a4d643cf4c63a60151b9387

    SHA1

    7210cc8750b0c8c4d5cf0c49ad5274f1aab2c724

    SHA256

    9c2f73221152802fd96b407477ee23b75f1ce9c9dc7de0c019e95f9d9b453ff2

    SHA512

    68b50b8facba55b416b4160849c8ef4d79cc2af3969de14f26b96aeb9ed610ecfc201202a3f542030e5f26fb021e85acbb8c0602f1ef285387bfbac4b39e1a87

  • C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk
    Filesize

    944B

    MD5

    f59ebdd09a420b367710e2c2338ebd9e

    SHA1

    35e7fa4ebac44a234d068a7b6b834868bc5ab486

    SHA256

    0a5c57642e7a38fa5090d05e64ca6421b6702be1550bab104bcdcbe3dd306e4c

    SHA512

    924ca49081c58bf7820a6edf2dbe6780354232a90e5d3361dfd9cc2064aa1736c7aaa3a7179569f046771553a3ffa7d80baeadf4ba8c01da284d0f382d6eb127

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I1XZEFUL.txt
    Filesize

    96B

    MD5

    e72016b8dfb3648ad3b775ec798ddd8e

    SHA1

    ee2ccf69f4a0c830039ab7a0780b559a34306ac5

    SHA256

    444d426623b29c7f166a2968d5e47bd5263890acc5a399c532bcda5859bb1298

    SHA512

    0b668596d77c4a0d62cd178413acc1b7827c42a48c5da5cf4ad011c0abf2e4d0e5cd0f6af6bb656ca994d7040502b48b869031a18b7dcde969690eb61a7333bb

  • \Program Files (x86)\SogouSoftware\3.2.2.58\CommonState.dll
    Filesize

    83KB

    MD5

    6e888d41691f655ab9ec752384e009eb

    SHA1

    6c54689dc6fe3070e2d24011a9f8e710f5444d66

    SHA256

    a5adc7b2757172c55834a3720731c0b3eb22ddd1766cc531c06de537bcef786d

    SHA512

    5995cb6a7bc4573d5593904fb518bef91401b4f44fef808ed915017a0b7f0589bb5b810fc183b196ea57de32ec4a0e63b54ce89dde3283e41ff706c6999c4977

  • \Program Files (x86)\SogouSoftware\3.2.2.58\DuiLib.dll
    Filesize

    827KB

    MD5

    28ba86c039552346dafff7e9363ce02e

    SHA1

    0c7848c17f84f7fae9f058ae49658dba4371975c

    SHA256

    49837458d579b16b25f81d0d477922c0d363867e120e0114577c2eb0506639a9

    SHA512

    60fa470134c5a9dfeacf2ebf615d656fd84d80f00ce0c3ff6d617e73f7942b5d48501b1073cd76fa717a0323d69b246170af5f8232ae7d4af3bc45b0325e7283

  • \Program Files (x86)\SogouSoftware\3.2.2.58\SogouSoftware.dll
    Filesize

    1.2MB

    MD5

    fb7a98797d8601196a79545775864de7

    SHA1

    0148ce7895eab4725b95a57e0fd3469a21de579f

    SHA256

    ffd9ab6a997659efee084a1493784c2755010a04f5a2ab03cd0ea74c637b3e96

    SHA512

    3afbef824abb40ccf128bdfa52cb7357b7340fe9a65139b6a2f42a17425548a96a7c95c3154728517aa784d8b00c0a5834a4af95f04bdc590eb8cfab9c24f75a

  • \Program Files (x86)\SogouSoftware\3.2.2.58\sqlite3.dll
    Filesize

    589KB

    MD5

    ae8a8778ac495b47070774f33089753a

    SHA1

    24b443630adbf79b12c920f8fa2586abdf8ba6d2

    SHA256

    bc35883beeb5da827d8eceb32d30bd07a838ad6c8ffa07f0dc7708a118ab4a39

    SHA512

    1bd8933a7ca742769bce5463190d774ecfb70b984e500ab8b0229330eb7c4aa5e7c8432385459f4cc8e528504d2d5382e8379f7d6c13daa7a7506184fef3b125

  • \Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe
    Filesize

    71KB

    MD5

    f0372ff8a6148498b19e04203dbb9e69

    SHA1

    27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

    SHA256

    298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

    SHA512

    65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

  • \Program Files (x86)\SogouSoftware\update\UpdateService.exe
    Filesize

    168KB

    MD5

    3d3e5a0455863ae5b4db90b07c974967

    SHA1

    d6316c15eeccb0942a2779636812be9b3da333d7

    SHA256

    8671d4570f9462ff5c4cca67094baaecefebea212b2c8f27ad29d38f76ff312b

    SHA512

    37178f6ce1bb692b3eb19767955089be56649a02b8eaa940522fcac29397030e2510a3c7419f3e72be0b595b2e8c8f13ce6d4ac723f22a52103d669e6490331e

  • \Users\Admin\AppData\Local\Temp\minidownload.exe
    Filesize

    1.9MB

    MD5

    0618e9851ea4a522abeded8d40c2f19e

    SHA1

    c6772967fdf545e32d28f3b46e97aec5b9ff99f5

    SHA256

    506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4

    SHA512

    b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f

  • \Users\Admin\AppData\Local\Temp\nsu16BD.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/1352-1128-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

  • memory/1752-1126-0x0000000009690000-0x00000000096E6000-memory.dmp
    Filesize

    344KB

  • memory/1752-1125-0x0000000009690000-0x00000000096E6000-memory.dmp
    Filesize

    344KB

  • memory/1752-1127-0x0000000009690000-0x00000000096E6000-memory.dmp
    Filesize

    344KB