84a573a3017c7834e0cc91e1904ff8ee6b8e65458deea23610de5c3d8ef5c9da

Analysis

max time kernel
148s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
Size

657KB
MD5

274b64869aec5d4943280198e2206ea0
SHA1

30444fcde091b6231e5d109176cb05535d6ff1dc
SHA256

84a573a3017c7834e0cc91e1904ff8ee6b8e65458deea23610de5c3d8ef5c9da
SHA512

fdbe3741a71382296d17147226bfe9ac4ca325245730d3d5004c94e62d9bad7ddb088eeb2411ffdad70822836958de41f6f010753df0685c15f0b5d859843e23
SSDEEP

12288:hfBWtS6Enj0tsoJ633iAtA7dN4W100EK86kBzflFyJ0e+YJwlUD:nWM6oqm4oW100SbBzflQVylG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1284	scanquery.exe
2036	scanquery.exe
2812	scanquery135.exe
2564	scanquery.exe

Loads dropped DLL 9 IoCs

pid	Process
2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
2036	scanquery.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2564	scanquery.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	scanquery135.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AMJDVM1D.htm	scanquery135.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ScanQuery\scanquery.dll	scanquery.exe
File created	C:\Program Files (x86)\ScanQuery\scanquery.exe	scanquery.exe
File created	C:\Program Files (x86)\ScanQuery\uninstall.exe	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
File created	C:\Program Files (x86)\ScanQuery\scanquery.dll	scanquery.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000186bb-52.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	scanquery.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2F0149B9-28EA-40B4-9523-541F101B026C}	scanquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2F0149B9-28EA-40B4-9523-541F101B026C}\DisplayName = "ScanQuery"	scanquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2F0149B9-28EA-40B4-9523-541F101B026C}\URL = "http://www.scanquery.com/?prt=SCANQUERY135&keywords={searchTerms}"	scanquery.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	scanquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback.Save = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	scanquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.scanquery.com/?tmp=redir_bho_bing&prt=SCANQUERY135&keywords={searchTerms}"	scanquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2F0149B9-28EA-40B4-9523-541F101B026C}\TopResultURLFallback = "http://www.scanquery.com/?tmp=redir_bho_bing&prt=SCANQUERY135&keywords={searchTerms}"	scanquery.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-03-51-b6-45-0a	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}\a6-03-51-b6-45-0a	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-03-51-b6-45-0a\WpadDecision = "0"	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	scanquery135.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	scanquery135.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scanquery135.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}\WpadDecisionTime = 80aa7c5f4dcfda01	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-03-51-b6-45-0a\WpadDecisionReason = "1"	scanquery135.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}\WpadDecisionReason = "1"	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}\WpadDecision = "0"	scanquery135.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}\WpadNetworkName = "Network 3"	scanquery135.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-03-51-b6-45-0a\WpadDecisionTime = 80aa7c5f4dcfda01	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	scanquery135.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	scanquery135.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scanquery135.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	scanquery135.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	scanquery135.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	scanquery135.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe
2812	scanquery135.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2564	scanquery.exe
2564	scanquery.exe
2564	scanquery.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1284	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2036	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2036	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2036	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2036	2476	274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe	32
PID 2812 wrote to memory of 2564	2812	scanquery135.exe	34
PID 2812 wrote to memory of 2564	2812	scanquery135.exe	34
PID 2812 wrote to memory of 2564	2812	scanquery135.exe	34
PID 2812 wrote to memory of 2564	2812	scanquery135.exe	34

C:\Users\Admin\AppData\Local\Temp\274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\274b64869aec5d4943280198e2206ea0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.exe" "C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.dll" 3659316350
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.exe" "C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.dll" lugiwupi "" hedukode
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  PID:2036

C:\ProgramData\ScanQuery\scanquery135.exe
"C:\ProgramData\ScanQuery\scanquery135.exe" "C:\Program Files (x86)\ScanQuery\scanquery.dll" hafaheduko donawiha
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files (x86)\ScanQuery\scanquery.exe
  "C:\Program Files (x86)\ScanQuery\scanquery.exe" "C:\Program Files (x86)\ScanQuery\scanquery.dll" izupazezih fazusihu
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.dll

Filesize
572KB

MD5
9e884a2a74e69d6f1aea6fde800ca6c5

SHA1
00b2e8644a3618cd2f0f048eb359d9c03e98350a

SHA256
84093899daef5660676b4ca369d7b85f5e60adc5e3b59f6dc1eae182052bc27c

SHA512
71a0bf06c7483eb15f527952222b826cffb8e042f20154dea9174332260b5ea1c99d9fbb087b5b6705263884e886d63a76d2495bb935a7ab52a1bd2b4eb23c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.dll

Filesize
572KB

MD5
b6ea4ba01867e85de17a89b30c6c4905

SHA1
8b4ea32bf8316751111cb87fb3c86020b0e053dc

SHA256
ca36bf09a9b5f2f8d6b4b1c02a3e4199bba0c6a60c0d9aba8e0703db8480a11f

SHA512
408f944b2088ce3d5bdabdafa8e291f6c117548c00c56c4f3cc7e4c0d7d4cd95b96875e6ae9dfa1d2c84452f598a40f6e9ccf0fdfacf8295a3ced3087a4a9749

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\uninstall.exe

Filesize
78KB

MD5
189ffeb2c56b4c579ec46314b14188de

SHA1
a3ba9e5cfcfc1533b519c93d5e27499aaeaa08bb

SHA256
b1154ae3bcafbeaa27a761501f14d20fe94bb95f955f5b7ef14ff4de7988a0ef

SHA512
0d54ecc70294ac523d62a04aa36d3b94c18cac1264752a134c8b70799cddc0ce1bba138baf01b1dc7620bc42b916474394dc5374ba8d841138096ed67913e67f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFB71.tmp\scanquery.exe

Filesize
44KB

MD5
efdc3614e2fb371407319380218f10ce

SHA1
3b7e273767bab06f1742ef3a045472391594e036

SHA256
81e820c4f61229c995274fcc868fa8f0338e5684eff823d53967db1529a8152c

SHA512
c15c54581ca98ed7d44d58c013faa8a025d71d38442fe6a611771a784fed16d2fdd789bcb680acb50217d9a11f6f0fc3257be1aed75f72f33e2dfe4cd06ba118

Download Submit
memory/2036-26-0x0000000000410000-0x0000000000495000-memory.dmp

Filesize
532KB

Download
memory/2564-58-0x00000000002B0000-0x0000000000335000-memory.dmp

Filesize
532KB

Download
memory/2812-37-0x0000000000220000-0x00000000002A5000-memory.dmp

Filesize
532KB

Download