Analysis Overview
SHA256
11604d770496aad9992dca116c7692e44ca415ded0f7a9f90bce0bc487787552
Threat Level: Shows suspicious behavior
The file ad669a7e43eccf774ae3b8286c084f45_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Writes to the Master Boot Record (MBR)
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 07:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe
"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe"
Network
Files
memory/2180-0-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2180-5-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-3-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-7-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-2-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-1-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-25-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-35-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-11-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-46-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-45-0x00000000779DF000-0x00000000779E0000-memory.dmp
memory/2180-44-0x00000000779E0000-0x00000000779E1000-memory.dmp
memory/2180-41-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-39-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-37-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-33-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-31-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-29-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-27-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-23-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-21-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-19-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-17-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-15-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-13-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-9-0x0000000000620000-0x000000000065E000-memory.dmp
memory/2180-47-0x0000000000620000-0x000000000065E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe
"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1740 -ip 1740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 528
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1740-0-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1740-1-0x0000000000400000-0x000000000051D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win7-20240611-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe
"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.12345nn.com | udp |
| US | 38.173.113.151:80 | www.12345nn.com | tcp |
| US | 38.173.113.151:80 | www.12345nn.com | tcp |
| US | 8.8.8.8:53 | www.12345ee.com | udp |
| US | 107.167.27.89:80 | www.12345ee.com | tcp |
Files
memory/1252-0-0x0000000000400000-0x00000000007D6000-memory.dmp
memory/1252-2-0x0000000077E7F000-0x0000000077E80000-memory.dmp
memory/1252-1-0x0000000077E80000-0x0000000077E81000-memory.dmp
memory/1252-4-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-5-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-3-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-32-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-44-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-47-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-38-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-36-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-34-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-28-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-26-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-24-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-22-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-20-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-18-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-16-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-14-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-12-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-10-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-8-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1252-6-0x0000000010000000-0x000000001003E000-memory.dmp
\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\CrackCaptchaAPI.dll
| MD5 | 9a4965011a94705227f62df0776f2ab6 |
| SHA1 | fe91972e1c993731cdacc7429c4f4760672adcf7 |
| SHA256 | a9ea79e9c5017616ca9085351ef166f35882ad5a201b92c4839ffdf1169e4113 |
| SHA512 | e74bc303d99a2151dd00b8f4da0aabd70b37fe46a74702034a5a0ab3da7cad9ad0b7d69b960a10d0876ad5b660e1b868c8956e8d05321f7120f480baee34378a |
memory/1252-76-0x0000000000400000-0x00000000007D6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe
"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3068 -ip 3068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 572
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp |
Files
memory/3068-0-0x0000000000400000-0x00000000007D6000-memory.dmp
memory/3068-1-0x0000000000400000-0x00000000007D6000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win7-20240611-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\绿软基地.url
Network
Files
memory/2232-0-0x00000000001C0000-0x00000000001C1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 07:49
Reported
2024-06-15 07:51
Platform
win10v2004-20240611-en
Max time kernel
115s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\绿软基地.url
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 13.107.42.16:443 | tcp | |
| US | 13.107.42.16:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |