ee89982148d72d0884e51b9e2138bc3a1bf6fdea10aa7dcc902e063c523ff88a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
Size

1020KB
MD5

43053106f94bc15a25ab7db4e5920425
SHA1

fe6a7ac02d1e940175253f9ddf28937896bf11b4
SHA256

ee89982148d72d0884e51b9e2138bc3a1bf6fdea10aa7dcc902e063c523ff88a
SHA512

0026ba7a887cedb1391c0e76c6652079e087732e878de04339813782d50bf19e90d7d469fbe473f5cbdb4fef57b986a36006ec7f5ee79b911a1d7bf6deb1415d
SSDEEP

24576:obBge0RptQ/DOYOzjRontlLYJAlMqqJKGafidExZK2:oVg7+CYOzjentlLcAKPeXd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2152	QQ.exe
2656	un.exe
3024	1.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	QQ.exe
2152	QQ.exe
2748	cmd.exe
2748	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Firefox.lnk	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Google Chrome.lnk	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\QQ.exe	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
2152	QQ.exe
3024	1.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2152	2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2152	2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2152	2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2152	2372	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2656	2152	QQ.exe	32
PID 2152 wrote to memory of 2656	2152	QQ.exe	32
PID 2152 wrote to memory of 2656	2152	QQ.exe	32
PID 2152 wrote to memory of 2656	2152	QQ.exe	32
PID 2152 wrote to memory of 2748	2152	QQ.exe	34
PID 2152 wrote to memory of 2748	2152	QQ.exe	34
PID 2152 wrote to memory of 2748	2152	QQ.exe	34
PID 2152 wrote to memory of 2748	2152	QQ.exe	34
PID 2748 wrote to memory of 3024	2748	cmd.exe	36
PID 2748 wrote to memory of 3024	2748	cmd.exe	36
PID 2748 wrote to memory of 3024	2748	cmd.exe	36
PID 2748 wrote to memory of 3024	2748	cmd.exe	36
PID 3024 wrote to memory of 2592	3024	1.exe	37
PID 3024 wrote to memory of 2592	3024	1.exe	37
PID 3024 wrote to memory of 2592	3024	1.exe	37
PID 3024 wrote to memory of 2592	3024	1.exe	37
PID 3024 wrote to memory of 2996	3024	1.exe	39
PID 3024 wrote to memory of 2996	3024	1.exe	39
PID 3024 wrote to memory of 2996	3024	1.exe	39
PID 3024 wrote to memory of 2996	3024	1.exe	39
PID 3024 wrote to memory of 2724	3024	1.exe	41
PID 3024 wrote to memory of 2724	3024	1.exe	41
PID 3024 wrote to memory of 2724	3024	1.exe	41
PID 3024 wrote to memory of 2724	3024	1.exe	41
PID 3024 wrote to memory of 1424	3024	1.exe	43
PID 3024 wrote to memory of 1424	3024	1.exe	43
PID 3024 wrote to memory of 1424	3024	1.exe	43
PID 3024 wrote to memory of 1424	3024	1.exe	43
PID 3024 wrote to memory of 2852	3024	1.exe	46
PID 3024 wrote to memory of 2852	3024	1.exe	46
PID 3024 wrote to memory of 2852	3024	1.exe	46
PID 3024 wrote to memory of 2852	3024	1.exe	46
PID 3024 wrote to memory of 1924	3024	1.exe	48
PID 3024 wrote to memory of 1924	3024	1.exe	48
PID 3024 wrote to memory of 1924	3024	1.exe	48
PID 3024 wrote to memory of 1924	3024	1.exe	48
PID 3024 wrote to memory of 1672	3024	1.exe	50
PID 3024 wrote to memory of 1672	3024	1.exe	50
PID 3024 wrote to memory of 1672	3024	1.exe	50
PID 3024 wrote to memory of 1672	3024	1.exe	50
PID 3024 wrote to memory of 2424	3024	1.exe	52
PID 3024 wrote to memory of 2424	3024	1.exe	52
PID 3024 wrote to memory of 2424	3024	1.exe	52
PID 3024 wrote to memory of 2424	3024	1.exe	52
PID 3024 wrote to memory of 680	3024	1.exe	54
PID 3024 wrote to memory of 680	3024	1.exe	54
PID 3024 wrote to memory of 680	3024	1.exe	54
PID 3024 wrote to memory of 680	3024	1.exe	54

C:\Users\Admin\AppData\Local\Temp\43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\QQ.exe
  C:\Windows\QQ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\un.exe
    C:\Users\Admin\AppData\Local\Temp\un.exe x -o+ -p51loveqq C:\Users\Admin\AppData\Local\Temp\up.rar C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      C:\Users\Admin\AppData\Local\Temp\1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\*.lnk /f /q
        5⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\浏览器.lnk C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\浏览器.lnk /y
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop /y
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop\ /y
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop\ /y
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\SYSTEM~1\ /y
        5⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        Drops file in Program Files directory
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        Drops file in Program Files directory
        
        PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.dat

Filesize
116KB

MD5
f824c7b0fd4e2480fa12cefbfa1f859a

SHA1
685243a3e9fb368d0999bb524c6671f96f554aba

SHA256
659495cc6e2fbe79a7b4d0a86cf1ddf88d5c1b9bf7a130b6c3de857300debddd

SHA512
a21b3d0b880a6d3bf3e429ca386edb47c97b9b87935712d46d3c12602c33ed493bcfcd580fcbb7bc4a70752f530a1e12264cdf24d78d50bf932bba4578bb9c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.lnk

Filesize
1KB

MD5
f1ca0c085fd09c31793e947df81d8e36

SHA1
912ae7310114d00187a1f7cfeb14d57c3bcb5588

SHA256
b6155960e811d4b3ff99554dd5d94ec355e5dad6ebefadc0f90dac8cff8762fe

SHA512
47063f7da16aa4546a28167cbf339c8e975cf497acbf18e7e1f7bf19e0d878f2107b397645c9c6f3a7bc1ebf79c97a6171aeedba4ad547c46c675342f7958515

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.lnk

Filesize
1KB

MD5
7f7e17c27da9fcc64fccecc82db6ffe2

SHA1
6d7b0f59e2975f4d1c33c69bef68ecf15f2d26d0

SHA256
4280f187f3f1e680a14c82d29faed820650a0269e6fce2125a11ca382cc17a4f

SHA512
89611739f2d10bcfb31ba473fd1ee3e66cf676ef2712e1eb954f6cec5fb2837787a3642282962cd0ffa292770ed32210d0a73ed34f21591b048019734b8a85ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.lnk

Filesize
1KB

MD5
91e7923a86af0c0c18ae17f08fcc58f4

SHA1
f499c453a82afb097c369c02ecbd410c55c32e65

SHA256
92ad99fcbdbae6502ba4092e6aa14c96e8ff38557942bdf52e8ae1a201bd28b4

SHA512
2aa2f9a76b24f77e4e0e55a290efc344f38fb3358b497c789ef7126bdf148514f3dbd6aab332257d7e974180b6f48f3be3acac54aa85d0ad6fdb364d9f3c6c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.lnk

Filesize
1KB

MD5
9befcd377d7ad7cc8db7895cfda7d026

SHA1
bddd683c5cb2b3ba68dff20597e81fee443327a4

SHA256
c82bcdcea6e64d9e10816a6b5bba52af3b17e4f08b8bf3362139465da9c60515

SHA512
8252ff7ffe2f9b57e1dd1ca16295dc76c40741fd26228a0b428843f9dea9348638262c822be85fd35dbdcb6e3953ad5414d7f52e01c2d99934b10820bd19d992

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
42313dc4465e5f58aea7e8b372f45c73

SHA1
89843a81be5db14208cdd5f777000b6e20eab37e

SHA256
58339b4a7f195bf1232af33084f16a669e164d07af0b4371363906627485b78e

SHA512
48e737d46153664a8250d299aa1818243ff13f2d4f2fe3381893185e757eb2df3cde67a4d7a65a87cf914a206c587df139b833c5a3b74bad48d9b3e18dd96ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internet Explorer.lnk

Filesize
1KB

MD5
d2646f903e6606c5397357b6c5c81c13

SHA1
b3ace83e7cf240eda0b1ecff93b15305c9a2e685

SHA256
6c23e76f607fae59cf21791e0d1f0fcbc24ba843c8efeb4d93295322c350a75f

SHA512
90269567c91d9a4582aa863d3ee579d251b0fb99029c6c1067273f18ca4cde8548ab679fae50a2bd11b3f45521b0b94ff3a18c37016166b1b37fa6632bcebda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\up.rar

Filesize
50KB

MD5
d5439f66db2157910b00a77062639187

SHA1
1f6ec105b34d86865f700c71685a6130d7c26186

SHA256
3e14956991470e43718757cd4ad7084357747e257d3c4cbe733c4833877f2c8a

SHA512
b2d656c110969bfcee9101a9c288069e28b9694549bcb3b685b2098a8bc8f47662b3915cc3d423619eba3a5d49d8ac2511fed6f838d49876a65b0a74afa2f982

Download Submit
C:\Windows\QQ.exe

Filesize
300KB

MD5
1730f853b313ee77e871b611426f11c5

SHA1
650856de93206855da5e2208067eaaa2ec69e704

SHA256
da68b9337290d5cf64256da449e16124b25a11ec5e949f655d48057f1be5d4c5

SHA512
25e8ac203ec24aae2460931d07ecb1749855f731ae25b1273f8c2bbce0f4de4d311cc11c59a5c4d18f41fc418fb45be532a0520980ff9b5be7d713d56b62f2dc

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
44KB

MD5
8466daee49a8b3ff376d502867beec78

SHA1
06d5d09877e482f72dc491e4ce550e1b74fb4e56

SHA256
33a0c21208029ebd3289716fb1394ed447dac2f172829b1c9249a5ca7ab8263d

SHA512
52448cad828f0dfcadda3c43f2422f74df5ca85b986d3ac00b91679663636c0b4b485becc9e3b75c453b7e165e864476c99640ac55687528e405bbab14783873

Download Submit
\Users\Admin\AppData\Local\Temp\un.exe

Filesize
214KB

MD5
120a33d31a303409c7dc097d0f1110f6

SHA1
4e4f784e9946bd7d42b9f1554ad417aa70eddaa8

SHA256
3b7eeec19fd8e2ad81bbde84790f9ba6f2f9670e3fe32585702423f39b1862d5

SHA512
ae725446ba68760e7010c1c0dc959a58cce94ac996661329512fe9adfe14a0fe5105ee75e11629e9caf0eeca1b6dc034cdb13f723dae0b0d97164fe4fdd76291

Download Submit
memory/2656-22-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download