ee89982148d72d0884e51b9e2138bc3a1bf6fdea10aa7dcc902e063c523ff88a

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
Size

1020KB
MD5

43053106f94bc15a25ab7db4e5920425
SHA1

fe6a7ac02d1e940175253f9ddf28937896bf11b4
SHA256

ee89982148d72d0884e51b9e2138bc3a1bf6fdea10aa7dcc902e063c523ff88a
SHA512

0026ba7a887cedb1391c0e76c6652079e087732e878de04339813782d50bf19e90d7d469fbe473f5cbdb4fef57b986a36006ec7f5ee79b911a1d7bf6deb1415d
SSDEEP

24576:obBge0RptQ/DOYOzjRontlLYJAlMqqJKGafidExZK2:oVg7+CYOzjentlLcAKPeXd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4676	QQ.exe
2220	un.exe
1568	1.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Firefox Private Browsing.lnk	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Firefox.lnk	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Google Chrome.lnk	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\QQ.exe	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1696	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
1696	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
4676	QQ.exe
1568	1.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 4676	1696	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	84
PID 1696 wrote to memory of 4676	1696	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	84
PID 1696 wrote to memory of 4676	1696	43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe	84
PID 4676 wrote to memory of 2220	4676	QQ.exe	87
PID 4676 wrote to memory of 2220	4676	QQ.exe	87
PID 4676 wrote to memory of 2220	4676	QQ.exe	87
PID 4676 wrote to memory of 4736	4676	QQ.exe	89
PID 4676 wrote to memory of 4736	4676	QQ.exe	89
PID 4676 wrote to memory of 4736	4676	QQ.exe	89
PID 4736 wrote to memory of 1568	4736	cmd.exe	91
PID 4736 wrote to memory of 1568	4736	cmd.exe	91
PID 4736 wrote to memory of 1568	4736	cmd.exe	91
PID 1568 wrote to memory of 2236	1568	1.exe	92
PID 1568 wrote to memory of 2236	1568	1.exe	92
PID 1568 wrote to memory of 2236	1568	1.exe	92
PID 1568 wrote to memory of 1056	1568	1.exe	94
PID 1568 wrote to memory of 1056	1568	1.exe	94
PID 1568 wrote to memory of 1056	1568	1.exe	94
PID 1568 wrote to memory of 2796	1568	1.exe	96
PID 1568 wrote to memory of 2796	1568	1.exe	96
PID 1568 wrote to memory of 2796	1568	1.exe	96
PID 1568 wrote to memory of 1984	1568	1.exe	98
PID 1568 wrote to memory of 1984	1568	1.exe	98
PID 1568 wrote to memory of 1984	1568	1.exe	98
PID 1568 wrote to memory of 1840	1568	1.exe	101
PID 1568 wrote to memory of 1840	1568	1.exe	101
PID 1568 wrote to memory of 1840	1568	1.exe	101
PID 1568 wrote to memory of 3048	1568	1.exe	103
PID 1568 wrote to memory of 3048	1568	1.exe	103
PID 1568 wrote to memory of 3048	1568	1.exe	103
PID 1568 wrote to memory of 3972	1568	1.exe	105
PID 1568 wrote to memory of 3972	1568	1.exe	105
PID 1568 wrote to memory of 3972	1568	1.exe	105
PID 1568 wrote to memory of 3880	1568	1.exe	107
PID 1568 wrote to memory of 3880	1568	1.exe	107
PID 1568 wrote to memory of 3880	1568	1.exe	107
PID 1568 wrote to memory of 2200	1568	1.exe	109
PID 1568 wrote to memory of 2200	1568	1.exe	109
PID 1568 wrote to memory of 2200	1568	1.exe	109

C:\Users\Admin\AppData\Local\Temp\43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43053106f94bc15a25ab7db4e5920425_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\QQ.exe
  C:\Windows\QQ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\un.exe
    C:\Users\Admin\AppData\Local\Temp\un.exe x -o+ -p51loveqq C:\Users\Admin\AppData\Local\Temp\up.rar C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      C:\Users\Admin\AppData\Local\Temp\1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\*.lnk /f /q
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\浏览器.lnk C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\浏览器.lnk /y
        5⤵
        
        PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop /y
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop\ /y
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Public\Desktop\ /y
        5⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\ /y
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        Drops file in Program Files directory
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        Drops file in Program Files directory
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C copy C:\Users\Admin\AppData\Local\Temp\*.lnk C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\ /y
        5⤵
        Drops file in Program Files directory
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
44KB

MD5
8466daee49a8b3ff376d502867beec78

SHA1
06d5d09877e482f72dc491e4ce550e1b74fb4e56

SHA256
33a0c21208029ebd3289716fb1394ed447dac2f172829b1c9249a5ca7ab8263d

SHA512
52448cad828f0dfcadda3c43f2422f74df5ca85b986d3ac00b91679663636c0b4b485becc9e3b75c453b7e165e864476c99640ac55687528e405bbab14783873

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.dat

Filesize
116KB

MD5
f824c7b0fd4e2480fa12cefbfa1f859a

SHA1
685243a3e9fb368d0999bb524c6671f96f554aba

SHA256
659495cc6e2fbe79a7b4d0a86cf1ddf88d5c1b9bf7a130b6c3de857300debddd

SHA512
a21b3d0b880a6d3bf3e429ca386edb47c97b9b87935712d46d3c12602c33ed493bcfcd580fcbb7bc4a70752f530a1e12264cdf24d78d50bf932bba4578bb9c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox Private Browsing.lnk

Filesize
1KB

MD5
8ab2b752b3bd4e88dd787c5d1457be2a

SHA1
47e8cdad02a2336978e4d4bcfc9195793a96ed29

SHA256
faa83c7087eb709fd5cea997aae4baf5d663646cccbe544b3c34ae4fc65e9d82

SHA512
136513dc35c611b6ee77eb01319fa9128eecc29aed9a177d3efb21b7e22f40420b67225e01b0ba9913652767d8078d30425775699ee3037891215ea7b77b138c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.lnk

Filesize
1KB

MD5
e6e3d9004ee19199565e827d3ec3a46f

SHA1
c9c3ac8beb38236fe29f29ebff0a5ea664fc20bd

SHA256
e6d7ed55e8663d6e4e7b197f2f9acc381bbcfc913532520c559c850da6164bc4

SHA512
22040387723f201fe56165590fc30cb7f96ba5d4609f23ce0ba6a47ec5b6252d2f937dc71b2a2627299d7c6efbf61ac69d3629c6df9ac52024ed3baed39a2fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.lnk

Filesize
1KB

MD5
c02344d828ede69c1c3329ba299d3623

SHA1
3fcbfe73ea060d06bb738ade056c130fd37fdbcf

SHA256
79a782b785c39504107899fd92a7b881a9a8be2d925bfbb9ca813736a570c2b2

SHA512
7d16307dacd37c5ebb08f3159a0a366b9cc0c8bbe179e901c05edea28277b0eeadf82902333f5fc9dad0550c5a28860f88043e846126b1141e89d1473b558782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.lnk

Filesize
1KB

MD5
218b58af968017ed8ec8b21509e9a805

SHA1
82f71d489e19a08ffa248c49984680747a691271

SHA256
512c537df30039a9c8b50c715bd77a8ea51f3f62357418fb6ed65a742b6b5700

SHA512
25e7382cbf9eb273b9a3aa715bdfa14dfe08f1f2f26261374572064566beb0322e1e9e72d05d1f6c3a48ab7cc4155d7a98b8f94878dfca10129efb9d9efb2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.lnk

Filesize
1KB

MD5
bacb1876e3ce2eef0777af710155cf12

SHA1
b2708f7cc93762aa8459f07b595bdc7892ea03dc

SHA256
77bb22d1088958a18d22287bf9e3915ae3c836f121354a9ccd6235dfeef659b1

SHA512
b4f39e9c8ce866429bc9dca317e8895e74b71dbd1355ad7cf6ec4d27b42bb22bf23f096f9b6a83e8e0cd4495548d8a2298ec96429e13ce513ce97805137a5257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internet Explorer.lnk

Filesize
1KB

MD5
67e3dc2de645b254f7184b901629bec2

SHA1
840d6448c8ce6538c335de10c62c80c26ce88d79

SHA256
4cb1a0d92c23d2c56ff607f95c23fb644aa58b62f2e2ed1d61a06f6a1940b391

SHA512
6543b8eb0e81b900697cf7a2d67ffec3e2b0f40aa095d1e2f577d80fbcf44fba1ca5e142efcd4115c289e542c8725967c1ce1a2b23ec968dfabfacc9e4b4c6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\un.exe

Filesize
214KB

MD5
120a33d31a303409c7dc097d0f1110f6

SHA1
4e4f784e9946bd7d42b9f1554ad417aa70eddaa8

SHA256
3b7eeec19fd8e2ad81bbde84790f9ba6f2f9670e3fe32585702423f39b1862d5

SHA512
ae725446ba68760e7010c1c0dc959a58cce94ac996661329512fe9adfe14a0fe5105ee75e11629e9caf0eeca1b6dc034cdb13f723dae0b0d97164fe4fdd76291

Download Submit
C:\Users\Admin\AppData\Local\Temp\up.rar

Filesize
50KB

MD5
d5439f66db2157910b00a77062639187

SHA1
1f6ec105b34d86865f700c71685a6130d7c26186

SHA256
3e14956991470e43718757cd4ad7084357747e257d3c4cbe733c4833877f2c8a

SHA512
b2d656c110969bfcee9101a9c288069e28b9694549bcb3b685b2098a8bc8f47662b3915cc3d423619eba3a5d49d8ac2511fed6f838d49876a65b0a74afa2f982

Download Submit
C:\Windows\QQ.exe

Filesize
300KB

MD5
1730f853b313ee77e871b611426f11c5

SHA1
650856de93206855da5e2208067eaaa2ec69e704

SHA256
da68b9337290d5cf64256da449e16124b25a11ec5e949f655d48057f1be5d4c5

SHA512
25e8ac203ec24aae2460931d07ecb1749855f731ae25b1273f8c2bbce0f4de4d311cc11c59a5c4d18f41fc418fb45be532a0520980ff9b5be7d713d56b62f2dc

Download Submit
memory/2220-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download