fc608ae08dedf5de1d54ae6562a300691006a5fe910855b732cd129e8103b3a3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
Size

765KB
MD5

4bfda3e1513c12003161b55586040862
SHA1

ae81eb6c7eacde9def70c570ca631c0bc650f96e
SHA256

fc608ae08dedf5de1d54ae6562a300691006a5fe910855b732cd129e8103b3a3
SHA512

dc49ba55f0e2031179e7d299fa75922087ccdc2c86e6f981085203ff90e06c73ac65dc84706e232d60aa6c49bcc6dd1fac7df5bbc8d918048690c36207e20c68
SSDEEP

12288:vveJUuJX/hTk2z/MNq14Y7QikM6ZbNaINa8OGgwBxmjCnChGeod1A067PhRiwI:vveJUeX/hTk8/MkL7QNxxOenCF0MriwI

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023471-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4128	Qhpmbmlbk.exe

Loads dropped DLL 6 IoCs

pid	Process
216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe
216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023471-4.dat	upx
behavioral2/memory/216-7-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/216-39-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/4128-50-0x0000000010000000-0x0000000010129000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Qhpmbmlbk.exe	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Qhpmbmlbk.exe	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Qhpmbmlbk.dll	Qhpmbmlbk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Qhpmbmlbk.dll	Qhpmbmlbk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\41e9863c0170cfe5649d845e94fc36c5.dat	Qhpmbmlbk.exe
File opened for modification	C:\Windows\Fonts\41e9863c0170cfe5649d845e94fc36c5.dat	Qhpmbmlbk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	Qhpmbmlbk.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	Qhpmbmlbk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119123"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2A6CFA23-4307-11EF-9D1F-569B09BE6E2C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4274690688"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427853327"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4277347415"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	Qhpmbmlbk.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119123"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4274690688"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119123"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
4128	Qhpmbmlbk.exe
4128	Qhpmbmlbk.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4128	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	84
PID 216 wrote to memory of 4128	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	84
PID 216 wrote to memory of 4128	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	84
PID 4128 wrote to memory of 2892	4128	Qhpmbmlbk.exe	87
PID 4128 wrote to memory of 2892	4128	Qhpmbmlbk.exe	87
PID 2892 wrote to memory of 2028	2892	IEXPLORE.EXE	88
PID 2892 wrote to memory of 2028	2892	IEXPLORE.EXE	88
PID 2892 wrote to memory of 2028	2892	IEXPLORE.EXE	88
PID 216 wrote to memory of 2408	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	89
PID 216 wrote to memory of 2408	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	89
PID 216 wrote to memory of 2408	216	4bfda3e1513c12003161b55586040862_JaffaCakes118.exe	89
PID 4128 wrote to memory of 2892	4128	Qhpmbmlbk.exe	87

C:\Users\Admin\AppData\Local\Temp\4bfda3e1513c12003161b55586040862_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4bfda3e1513c12003161b55586040862_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Program Files (x86)\Common Files\Qhpmbmlbk.exe
  "C:\Program Files (x86)\Common Files\Qhpmbmlbk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer Automatic Crash Recovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""c:\4bfda3e1513c12003161b55586040862_JaffaCakes118.exe_And xMe.bat""
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Qhpmbmlbk.exe

Filesize
765KB

MD5
4bfda3e1513c12003161b55586040862

SHA1
ae81eb6c7eacde9def70c570ca631c0bc650f96e

SHA256
fc608ae08dedf5de1d54ae6562a300691006a5fe910855b732cd129e8103b3a3

SHA512
dc49ba55f0e2031179e7d299fa75922087ccdc2c86e6f981085203ff90e06c73ac65dc84706e232d60aa6c49bcc6dd1fac7df5bbc8d918048690c36207e20c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5HI12B12\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
408KB

MD5
b49e63ddadf4e7742ac810c24c874d34

SHA1
1dc901478e656f194442f272c34267d323906561

SHA256
a903caed2a7d6f8dfc7cf80ba2e2e7b8dc0b88f4afbdcb27416e7970cb481a4d

SHA512
e0d067acff06d8325a7e8bc32b2948f891c107e101c44a710f352c309cf40639c415420f1fb61daea2ad4305acf0e891b58677cc4f4c3494537c2577909bca62

Download Submit
\??\c:\4bfda3e1513c12003161b55586040862_JaffaCakes118.exe_And xMe.bat

Filesize
210B

MD5
e6e217c283a4e470ed9f4f7164eb272a

SHA1
d57c00c6b459f6d48aeb55296d254dd22d77a0cd

SHA256
b3085d5894ea3304a4b99660d0379dc6d9eabca52694e6c968f971a892fccebb

SHA512
173457758e0c5454d13004ae424f14c172376ee0e4056ac3518bf77b250be17be977187b637e11aed7863e380f3048353366445ccc7e7554b4e52ebcf8e3717f

Download Submit
memory/216-7-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/216-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/216-34-0x0000000002350000-0x000000000236E000-memory.dmp

Filesize
120KB

Download
memory/216-39-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/216-38-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4128-19-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4128-27-0x0000000003510000-0x000000000352E000-memory.dmp

Filesize
120KB

Download
memory/4128-51-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4128-50-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download