0c71745a77deb857427f29458a4cb9fa5f0844ac9c232ecabce40a3f33764a93

Analysis

max time kernel
141s
max time network
36s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Size

297KB
MD5

25d3e07bb7731baa8481bc2efafc482e
SHA1

6073c603f4184ce5bfc530d31e7f330f19c4ca5a
SHA256

0c71745a77deb857427f29458a4cb9fa5f0844ac9c232ecabce40a3f33764a93
SHA512

23cdf7e878496225ab7ac783cf09f0e7a570c81515c64c529846ce4810a9abdc616e58199395b13a5bd49277fc91ba6749dd322887ea2bfaa78c9a06a9383571
SSDEEP

6144:YEZYqeVeKNyBfZVEAqUzf3oX3ToLhW1OdAJir3lMH+tJ223Z:YEZYEVxmAtAXDoN6sAsr3Sc7

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000018d48-17.dat	acprotect
behavioral1/files/0x0005000000018f84-24.dat	acprotect

Loads dropped DLL 6 IoCs

pid	Process
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qmdisp.dll	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\InprocServer32\ = "C:\\Windows\\SysWow64\\qmdisp.dll"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\ = "QMDispatch 1.0 Type Library"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\ = "QMFunction Class"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CurVer\ = "QMDispatch.QMFunction.1"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\qmdisp.dll"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\CLSID	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ = "QMFunction Class"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ProgID\ = "QMDispatch.QMFunction.1"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ = "IQMFunction"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ = "IQMFunction"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID\ = "{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\Version = "1.0"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ProgID	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\Programmable	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\CLSID\ = "{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\ = "QMFunction Class"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CurVer	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\InprocServer32\ThreadingModel = "Apartment"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\TypeLib	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\Version = "1.0"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS\ = "0"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\VersionIndependentProgID	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\VersionIndependentProgID\ = "QMDispatch.QMFunction"	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\InprocServer32	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
2560	25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25d3e07bb7731baa8481bc2efafc482e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\macro0.tmp

Filesize
1KB

MD5
37d57c0dda9f2f2258419b30d0cccc8f

SHA1
96e2bde57e0331072e99dd21a186141ec47d4e85

SHA256
86ad4942fd100098dc8870ada59f9b490dd3cea6922e4cd4e81d6ecac9c386c0

SHA512
71905d0aed3b27086caf4805ed2569d685ddd1595f3c50281f9da551b5ed46a522ed2ba7f55b508d76226361a5a95aae9af94729491644f74e1ad337a9da19be

Download Submit
C:\Users\Admin\AppData\Local\Temp\macroinfo.dat

Filesize
331B

MD5
97989c05ce852198d30c113812c1b2eb

SHA1
9ff158350a2b7a9bbe53d13446bd8fda8ee4f4e7

SHA256
3178e1b80cd6f21e961a57f4f72a06d12159f78d0d5803f18aa7fae57c53729c

SHA512
f271fbad94037f60702ea00420861d46580b481b5b41e1e69e674b1f4c5478a6c972a6a021312282cc76c091c9df87e4f8cfc758529a891f5deb2052436a072a

Download Submit
\Users\Admin\AppData\Local\Temp\WinIo.dll

Filesize
36KB

MD5
c6b4bb7661fb5e0fc1efaa9f604a5da3

SHA1
1826692742a240a9214363e59ca18d57e5b1f439

SHA256
abff25b2e8bbe3b77d7077bd8763d54b935018d6f0a8420b91d04ec1eeb780ed

SHA512
fc8df9b2920c616d5cfefd2f669206601f5de201f145c9518b97b59fcb6074ab4531d1d05a247c5885be22474bbf33e683e9edef62b9fe1e4a264c0c12f8fb6e

Download Submit
\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
44KB

MD5
6603814441d3aadef5620297b1874e8a

SHA1
5b51e5a875fbefd518f32aedcaf139fb04f4af57

SHA256
5740c55b981b1e0b93dd11b70d40dc632116eda19587ebb55f4c8b32bb8f77cb

SHA512
ae7b3f5ecd27bc442c2ac82f33b12a59cdd90639d666e613faaa4d977708498fcd78e96af3c0846ffcc43ea08c74b9f7f329d5bf05e7ffe9427770d834017f7f

Download Submit
\Users\Admin\AppData\Local\Temp\cooperate\liveupdate.dll

Filesize
33KB

MD5
332fda568fe929d6f6588e7c650d50d2

SHA1
5dd0c88a2676cad045bebce2adbd8f871a186b6b

SHA256
fb373585ed9fef61a6091299225b6b5029de4ace81a1dbb72e7870004bd9a6ad

SHA512
0e31e07f6230fdb7f7bcdbac9a04140ffd8295769b1b6d7431b0b77cf8354df464ee6933d3e432aa6bc604c286c4c8a390ea59a8fa788d54fde6d3a84522fe72

Download Submit
\Windows\SysWOW64\qmdisp.dll

Filesize
23KB

MD5
c56851b4db49b9a47cba5df3d8e41bab

SHA1
7fc0602c7c28424b0e16f41809bed8c8f32fa973

SHA256
9fdd00e9e17a8d770807ce113d775cc3a6f40efcf8b519b3f7dfde61236c3aed

SHA512
014e655bd4a8031d9445d2d3178629cca52a3f9c838ed7a56474279084491cc9c841a50dd43790dc13ca7f6d931a643c599de86907ca0a770d8e523c3fe98b7e

Download Submit
memory/2560-47-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-52-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-19-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2560-15-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2560-45-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-46-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2560-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-48-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-50-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-26-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2560-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-85-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-87-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-89-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-91-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-93-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-95-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-97-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2560-99-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download