Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 10:54
Static task
static1
Behavioral task
behavioral1
Sample
b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe
-
Size
314KB
-
MD5
b83ea939e613dd56cb93f4917e7d9d50
-
SHA1
121f18843dc6fe8779247ab0a931bd6840c67436
-
SHA256
38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75
-
SHA512
3ab8a22f6c6ca34dbd59b4ff37e4ee46cc607a5d1321cfbf263fbc17c6c670188feface18aa1729808911c6dee7013d36c90f4522f71f7a534d16ed2fb96e229
-
SSDEEP
6144:iz+92mhAMJ/cPl3i3SyLzZOxIEiAfwIfCipkMVwdz4gygrA2+atP3qqvQECNfXO8:iK2mhAMJ/cPlcZOlxfwIf1qMVwKMA2+N
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
Processes:
resource yara_rule behavioral2/memory/316-20-0x0000000002220000-0x0000000002250000-memory.dmp family_plugx behavioral2/memory/316-21-0x0000000002220000-0x0000000002250000-memory.dmp family_plugx behavioral2/memory/4640-40-0x00000000021F0000-0x0000000002220000-memory.dmp family_plugx behavioral2/memory/4640-41-0x00000000021F0000-0x0000000002220000-memory.dmp family_plugx behavioral2/memory/4504-46-0x0000000000920000-0x0000000000950000-memory.dmp family_plugx behavioral2/memory/1108-47-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-48-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-60-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-61-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-62-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-65-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-66-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/4504-70-0x0000000000920000-0x0000000000950000-memory.dmp family_plugx behavioral2/memory/316-74-0x0000000002220000-0x0000000002250000-memory.dmp family_plugx behavioral2/memory/4640-75-0x00000000021F0000-0x0000000002220000-memory.dmp family_plugx behavioral2/memory/1108-76-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1108-79-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx behavioral2/memory/1036-80-0x00000000029B0000-0x00000000029E0000-memory.dmp family_plugx behavioral2/memory/1036-82-0x00000000029B0000-0x00000000029E0000-memory.dmp family_plugx behavioral2/memory/1036-83-0x00000000029B0000-0x00000000029E0000-memory.dmp family_plugx behavioral2/memory/1108-84-0x0000000001600000-0x0000000001630000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
QQBrowserUpdateService.exepid process 316 QQBrowserUpdateService.exe -
Executes dropped EXE 3 IoCs
Processes:
QQBrowserUpdateService.exeQQBrowserUpdateService.exeQQBrowserUpdateService.exepid process 316 QQBrowserUpdateService.exe 4640 QQBrowserUpdateService.exe 4504 QQBrowserUpdateService.exe -
Loads dropped DLL 3 IoCs
Processes:
QQBrowserUpdateService.exeQQBrowserUpdateService.exeQQBrowserUpdateService.exepid process 316 QQBrowserUpdateService.exe 4640 QQBrowserUpdateService.exe 4504 QQBrowserUpdateService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 17 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003000310045003300450036003000370046004400310037004100350030000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
QQBrowserUpdateService.exesvchost.exemsiexec.exepid process 316 QQBrowserUpdateService.exe 316 QQBrowserUpdateService.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1108 svchost.exe 1108 svchost.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1108 svchost.exe 1108 svchost.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1108 svchost.exe 1108 svchost.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1108 svchost.exe 1108 svchost.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1036 msiexec.exe 1108 svchost.exe 1108 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exemsiexec.exepid process 1108 svchost.exe 1036 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
QQBrowserUpdateService.exeQQBrowserUpdateService.exeQQBrowserUpdateService.exesvchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 316 QQBrowserUpdateService.exe Token: SeTcbPrivilege 316 QQBrowserUpdateService.exe Token: SeDebugPrivilege 4640 QQBrowserUpdateService.exe Token: SeTcbPrivilege 4640 QQBrowserUpdateService.exe Token: SeDebugPrivilege 4504 QQBrowserUpdateService.exe Token: SeTcbPrivilege 4504 QQBrowserUpdateService.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeTcbPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1036 msiexec.exe Token: SeTcbPrivilege 1036 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exeQQBrowserUpdateService.exesvchost.exedescription pid process target process PID 3216 wrote to memory of 316 3216 b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe QQBrowserUpdateService.exe PID 3216 wrote to memory of 316 3216 b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe QQBrowserUpdateService.exe PID 3216 wrote to memory of 316 3216 b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe QQBrowserUpdateService.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 4504 wrote to memory of 1108 4504 QQBrowserUpdateService.exe svchost.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe PID 1108 wrote to memory of 1036 1108 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b83ea939e613dd56cb93f4917e7d9d50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe"C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe" 100 3161⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe"C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 11083⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SxS\bug.logFilesize
622B
MD5b2d61c41a86e9601ce867d1c21b282a1
SHA139b99a3bede6353d3fec7936571431f095fa19a4
SHA2562d1f68e54fcb7804ae310dfff72c43124c04db47108ac99964db4b8f78817c30
SHA512a3cff32613a133a507b33dc6de34f983b0f2cd8f5bbf812e73041adc38721d722acb154eac962b4b34d79313703f4a0cb97d95a7d04180c22f1107381dbaf5ae
-
C:\ProgramData\SxS\bug.logFilesize
764B
MD54ab4c23a31f1760703518cb15f6b5e41
SHA1d2a8bca08012573171c3c2389496531614ccc3d5
SHA25620a917f2a90d84b417cdb021c84b6eb5fe7bf3afaaea0d05a98b34922a61bcd4
SHA5129957de7a586b3dccb373a5e56fedd52e0bbe411df37104458aaf38668a35e9ece33d8e8c974b4e8f40f8efff5887f1513924d091b5877eb07ff14b26aa1d9f10
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowser.pakFilesize
120KB
MD5768fb7e913b66701a20cdea2abc7f884
SHA110e8ddf7333109b430ccaeb87ae644051d120f5e
SHA25692812f4d34aca0bd7c7e2f67abd2c1813546f2826ec3380fc45a5ea0822ea76b
SHA51219c261f9b6508288f0e88d1b9f6385d3393bcb92d6a31c521ea6a22955f17d02b9e1dc690812bdaa9a3ad84ba9929a5732529b78b0f6df560bca573170a23290
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exeFilesize
204KB
MD5bf8c7b6e88a049fda4ebd7407488aca6
SHA18b889494f25aafcef5e92b6cc7b2e0e0e217e60a
SHA25628e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2
SHA51235a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pdh.dllFilesize
8KB
MD52ab8934a0133f1cf3122b1bbab6de846
SHA14e0db9d32f99d724fdaa56d18e9fad687333f18a
SHA256462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc
SHA512164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5
-
memory/316-19-0x00000000022B0000-0x00000000023B0000-memory.dmpFilesize
1024KB
-
memory/316-20-0x0000000002220000-0x0000000002250000-memory.dmpFilesize
192KB
-
memory/316-21-0x0000000002220000-0x0000000002250000-memory.dmpFilesize
192KB
-
memory/316-74-0x0000000002220000-0x0000000002250000-memory.dmpFilesize
192KB
-
memory/1036-81-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/1036-80-0x00000000029B0000-0x00000000029E0000-memory.dmpFilesize
192KB
-
memory/1036-82-0x00000000029B0000-0x00000000029E0000-memory.dmpFilesize
192KB
-
memory/1036-83-0x00000000029B0000-0x00000000029E0000-memory.dmpFilesize
192KB
-
memory/1108-76-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-47-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-66-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-59-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/1108-65-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-62-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-61-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-84-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-60-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-48-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/1108-79-0x0000000001600000-0x0000000001630000-memory.dmpFilesize
192KB
-
memory/4504-70-0x0000000000920000-0x0000000000950000-memory.dmpFilesize
192KB
-
memory/4504-46-0x0000000000920000-0x0000000000950000-memory.dmpFilesize
192KB
-
memory/4640-41-0x00000000021F0000-0x0000000002220000-memory.dmpFilesize
192KB
-
memory/4640-40-0x00000000021F0000-0x0000000002220000-memory.dmpFilesize
192KB
-
memory/4640-75-0x00000000021F0000-0x0000000002220000-memory.dmpFilesize
192KB