6f46122487829079dc695e503ef2950823a02794aca340369b8988f67a3eb3b8

Analysis

max time kernel
144s
max time network
143s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe
Size

619KB
MD5

3ea40834faf90efa2f9e9edfd98a3ad8
SHA1

a863cba425ac8f0fcfdf0d5d2a71011ad521264b
SHA256

6f46122487829079dc695e503ef2950823a02794aca340369b8988f67a3eb3b8
SHA512

f7c9ba5c347f70ac82c06f0dcaf16b38c4377b63c118d1dfddf740822613a2b326ef4071f8a287d2a32f1dcae09bd55acad8ba01567caf8a5c9d239bf141fda6
SSDEEP

12288:aV0e0eTE0h3qIpLFl/WYv1Gw141c2obY79XaOKhU8yRiu7A4V:aH40h3qIpJIYvYEqocpNzRfs4V

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	3VMP~1.EXE
2456	QQ.bat

Loads dropped DLL 2 IoCs

pid	Process
2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe
2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	QQ.bat

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windows\system32\wins\QQ.bat	3VMP~1.EXE
File created	C:\Windows\uninstal.bat	3VMP~1.EXE
File created	C:\Windows\windows\system32\wins\QQ.bat	3VMP~1.EXE

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\WpadDecisionReason = "1"	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\WpadDecisionTime = a0d6895594d4da01	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\3e-2b-93-9d-77-7d	QQ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d\WpadDecision = "0"	QQ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\WpadDecisionTime = 204bcb1f94d4da01	QQ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d\WpadDetectedUrl	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d\WpadDecisionTime = a0d6895594d4da01	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\WpadDecision = "0"	QQ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}\WpadNetworkName = "Network 3"	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d\WpadDecisionReason = "1"	QQ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1938425A-3608-43BA-8716-C2971547F5C0}	QQ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d	QQ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-2b-93-9d-77-7d\WpadDecisionTime = 204bcb1f94d4da01	QQ.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	QQ.bat

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	3VMP~1.EXE
Token: SeDebugPrivilege	2456	QQ.bat

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2456	QQ.bat

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2808	2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2808	2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2808	2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2808	2404	3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe	30
PID 2456 wrote to memory of 2776	2456	QQ.bat	33
PID 2456 wrote to memory of 2776	2456	QQ.bat	33
PID 2456 wrote to memory of 2776	2456	QQ.bat	33
PID 2456 wrote to memory of 2776	2456	QQ.bat	33
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34
PID 2808 wrote to memory of 2612	2808	3VMP~1.EXE	34

C:\Users\Admin\AppData\Local\Temp\3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ea40834faf90efa2f9e9edfd98a3ad8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VMP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VMP~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2612

C:\Windows\windows\system32\wins\QQ.bat
C:\Windows\windows\system32\wins\QQ.bat
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VMP~1.EXE

Filesize
304KB

MD5
2610065a6388d42252ff495f281667e1

SHA1
c1e02a64e8f6ad4a78af24b2100526476d083708

SHA256
d4aa3b2a5e1570e0c78feae196957cf5d9c311b5a6a88790f7fe1273b1c90018

SHA512
5d2b1aee0759befdb37150ad3298877d69d340d9e76fbb40f3a3c872db36024751c647ab59f38a8f1d58193cad3c721ad8e7bcc6f999e262f89b84534daa328f

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
88e4d63d9ac8540020a89a86bdfbe131

SHA1
a22dd644ceac2d6c3575098fa1626f72c938970d

SHA256
0a07cc9f667ec24bf94ec5b3d091f5a59f46e7a0182d8990ab58b65f1e81f7b4

SHA512
9d9c134431aef212b54b16e3d348b30662fe0b31dece3e75a23942b2c0421e682da0237909d877d715f9c123902a1af730c2c1abadbece92b1de3a7ae2d781fa

Download Submit
memory/2404-19-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-46-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2404-0-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/2404-47-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2404-17-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-45-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2404-44-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2404-43-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2404-42-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2404-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2404-40-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2404-39-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2404-38-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2404-37-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2404-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2404-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2404-34-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2404-33-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-32-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-31-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-30-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-29-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-28-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-27-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-26-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-25-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-24-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-23-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-21-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-20-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-48-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2404-80-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/2404-22-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2404-16-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-15-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-13-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-12-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-11-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-10-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-9-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-8-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2404-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2404-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2404-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2404-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2404-3-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2404-2-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x00000000001E0000-0x0000000000230000-memory.dmp

Filesize
320KB

Download
memory/2404-50-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2404-60-0x0000000003050000-0x000000000316D000-memory.dmp

Filesize
1.1MB

Download
memory/2404-49-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2404-61-0x0000000003050000-0x000000000316D000-memory.dmp

Filesize
1.1MB

Download
memory/2404-81-0x00000000001E0000-0x0000000000230000-memory.dmp

Filesize
320KB

Download
memory/2404-18-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2456-69-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-68-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-83-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-88-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-62-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-63-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-78-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads