fefd063e8ec50a51e9ab75e3802f054303a7dd5d4c8bbcd8c62acb754c6e0349

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe
Size

162KB
MD5

26f80b34f596d2a271fcc502aac2f634
SHA1

b29c74384102019088c1e9c8557c28455323ab5f
SHA256

fefd063e8ec50a51e9ab75e3802f054303a7dd5d4c8bbcd8c62acb754c6e0349
SHA512

d47d469c74d84be39cb836fd1b85fe04f2d30307c2e5c1988f7952b912f4577e32e71ad1c4bff85e75bb56ff77852164e5ac1758d1260d359e091e98f225fc9c
SSDEEP

3072:DQIURTXJ+MbBFRo7iy4kp2Q2GTWTwzgevQSQpn1iamhYFTi37v:Ds9bBFRo7iy4/QcTwdvQBpUaRW37v

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2928	RUNDLL32.exe
2928	RUNDLL32.exe
2928	RUNDLL32.exe
2928	RUNDLL32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "RUNDLL32.EXE C:\\Users\\Admin\\AppData\\Local\\Adobe\\qqczyqmp.dll,kdfjfslkdjfklfjsdlkfj"	RUNDLL32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426354773"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A7CE631-3AE2-11EF-B4E9-6ED41388558A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2928	RUNDLL32.exe
2916	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2916	RUNDLL32.EXE
2588	iexplore.exe
2588	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2928 wrote to memory of 2916	2928	RUNDLL32.exe	32
PID 2588 wrote to memory of 2560	2588	iexplore.exe	34
PID 2588 wrote to memory of 2560	2588	iexplore.exe	34
PID 2588 wrote to memory of 2560	2588	iexplore.exe	34
PID 2588 wrote to memory of 2560	2588	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26f80b34f596d2a271fcc502aac2f634_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32.exe "C:\Users\Admin\AppData\Local\Temp\qqczyqmp.dll",kdfjfslkdjfklfjsdlkfj
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    RUNDLL32.EXE C:\Users\Admin\AppData\Local\Adobe\qqczyqmp.dll,kdfjfslkdjfklfjsdlkfj
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f351884b4000a43f210895c01259f21

SHA1
945507bc7d338411544ed2ccbf4b208b5c75c9a4

SHA256
cf573e14424452af3f7e46642f1f3eb8c17a4afd0e3249e315f05301eb5cf0b4

SHA512
8a3289ae7c786d3111b30f7917880dba4aff602f7a9bba5f79589d567b43f6683acde19637736b66605370c2558523f56f168bfb4cd249dd1126bb328a9db13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e254129b7d9cb3f1b62a8f487822053

SHA1
245ab64a0e436ed53bd2480458612b9e0781a509

SHA256
e9f65f0553dd49da880becb253a2cbe6777420df75ed18058605babf4ce6c521

SHA512
05ab07b10d8ea66971d0d6ccbf3c2b7686b879ad3def1832e53e1c123b831a98299809bb945e0f81f7491696344f410df3bfd40d69c33ef200a85df4cab6f822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37546fc894e231bbfd275ff3d4b2d8b8

SHA1
83fa5ae55f7c439a9e693604097f1d6003f1e10b

SHA256
6fab92e61995651b162206f1b510faca537207f8212627f9331949ec05fc7e5a

SHA512
a6ca36e698f2f1b335cd92adffc251c6fc292bc2db95de27ab5c392b1f3c56020dad454afbc119bed7ca31c9df85fd534eb261eac10a51eced398b440b00fa5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8b3b64d160e0251b94b4b69eaa8dbd4

SHA1
b1d6d389b26c99d6012b1c8ba17e7a9fb453fbec

SHA256
cbdb3043b3d8a762212ab09958cc0642d097699edae1a0d2d8ac43e3c3d80105

SHA512
d6032c28304acd4f70139c927e769b26f1dea7164e8e1fb7c258f3770ce0ca3be56ee28b73a9f326cdd02cc54b69d195c53b1743547ba48a28eadf0c9f4ab108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab17f0add7f7af6da6a56f0afbfb10e9

SHA1
b078f9683f28ad1f1a750e181fc4a532f4257bdb

SHA256
055d990a6c246210d67f76590a4f0c1ef5bea597e82d14b0cc9c558d5b4f60c8

SHA512
25a358b5db20bbc9be58fc2af6b83277ad3360d6b8ade3cf03256e11c76dc624ad25b05ac8f43f4f538f6e8c4076bdff38aa82e3a2c1204f5943f96ed187dd40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9f22e0b30dfeb2693d689eaa395dfb7

SHA1
a01c1037bb2462e2a4a7f2c4532d7f2a53ce3e0f

SHA256
5d13e4883ce252c113fcb4c1df2cc40adea96eed44cfc8505d52df611df32471

SHA512
d8451ae53f5afa7041f884c4ad0fb913e362d5e72f2399f62387f0a9d30f03fc7018b08c88552709a2bff0e5b7831554d21426ed79b13d0c0e4b58cc77240ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2c358a9326f9eb463d8552cd69120a8

SHA1
70c35bf1b053c7fc6a92d93876fc52a9904a123b

SHA256
f8b96bf4708d2f90ca277a3ea5fb3fe7c962ee1cf72499016c0a4cace9c5542c

SHA512
2104a9c628380d75355edd0f0a46c4100d3eb1ee840d1c450a92e79e45f78d6206265e6fa4b70e7a6a90c1579d9cc831ab1e5c90e897bdf6a66d0252cc2b567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2702cdf5ff1e85cd3eeffeb1b719ebaf

SHA1
c116a3cd5f67fd30ea7990c8b8fd92be16112c81

SHA256
32c9bbb760a73e569847003248d85991e39479bd2abeb2c0e596917dd995a58e

SHA512
ca7be628a3d6986d762ff379b08d2c60660bcffdef12be63d60372fd4b74337379bcae8a2803f6a2c7e8df495dc40ad5ed119d675daf3edb34c15b870c13010c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
437b73149f50d6311848757b17cf165c

SHA1
5c80608e1f3398c30f19df4f28a52167d9c526b7

SHA256
d43d014b68ac3ee4a02f2d03b42a2df4affbca00429171ec41f4c11864a63c2c

SHA512
14d7614f236af9d5414364193fa84224634ebbd53c5af3dc0ee66a6a677fcba25beb8f4426cffe4558f6b90897cfdef1d67387132c70c4d0862ef09697572dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70c2792f67c0812c314ff5fd9d64d095

SHA1
6edabf3a3918e25f653e4b30b0ed667c37490fc1

SHA256
b59652ce9ce512ad0258d15744325f5aacfe1b9e7072e958efb37cba26b1db1a

SHA512
cb14fea25336b3e81d0484a113b29e970c3dadb185cc8738e834b366d66d0a933cb832fa589a38191468580c40aeb8f944b5bc4fd2c48dc8381f4fd581ee6686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaa113e10ab2e7ee870456bc427df57a

SHA1
2f4877cf20e095ba659b3dea7c134c56d7702d2d

SHA256
da96ea36bd51630ed91791932226162f3f76a316da4806df634633a563878151

SHA512
219ab904b4f1ce95026db4c8b0bdca8e81c366867f16005f85e026ba30239fef2cc4f84d70e551f354f167dd4c941bbf0499df2dead14d813aa532d84f4a138a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5C6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF627.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqczyqmp.dll

Filesize
389KB

MD5
d8501587386400aba2c801a4f3e127c2

SHA1
3cef1819fb9a52a298173009e018c2ba7f1ee41e

SHA256
25a74f75360856d9e9f432ca8fa52897a98f44cad23aca950a7615ca119b82f2

SHA512
474bea8585b0a183cc67874726fb55447d0efd2b1fb079f5e7942259516e64912d7f6fe725659503d420eb7320d13a1752aa5451ca720d46ef02518253287c01

Download Submit
memory/2916-11-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2916-10-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/2916-9-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2928-6-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2928-8-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download