983c2fc9e9dc4e9de1eda711746da216ba4c48fc2324f1dcbe8689f058772603

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Size

4.1MB
MD5

4d9e7c28e9ec225d39bc1073e3065587
SHA1

4bb8fcb256d1d70f5887ec17fedbade4f3d59dff
SHA256

983c2fc9e9dc4e9de1eda711746da216ba4c48fc2324f1dcbe8689f058772603
SHA512

ad339dc089c683c0217172ce5c578ea1504035b9b429242563cb04e49099a96804bafbd45848c0c87d51d4a826db5f9a397d1cb39ccc64c52de964a14b664431
SSDEEP

49152:s5Vsd5TNcvHpYH+NcXVys1bKwt3g3Sif5sPE40UY+EtsPuip7+RIL:CmMqJX7htg3jYEuUsGiR+e

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xsn.dll	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
File opened for modification	C:\Windows\xsn.dll	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\CLSID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\VersionIndependentProgID\ = "QMDispatch.QMRoutine"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32\ = "C:\\Windows\\xsn.dll"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\ = "QMDispatch 1.0 Type Library"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMRoutine Class"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\Programmable	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\TypeLib	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMRoutine Class"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32\ = "ole32.dll"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\VersionIndependentProgID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32\ThreadingModel = "Apartment"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32\ = "C:\\Windows\\xsn.dll"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\Version = "1.0"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CurVer	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS\ = "0"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\ = "QMRoutine Class"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID\ = "{EBEB87A4-E151-4054-AB45-A6E094C5334B}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMFunction"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR\ = "C:\\Windows\\"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CurVer\ = "QMDispatch.QMRoutine.1"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\ = "QMDispatch.QMFunction"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMFunction"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\Version = "1.0"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine.1"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4D9E7C~1.EXE"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
2892	4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d9e7c28e9ec225d39bc1073e3065587_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F0C8.tmp

Filesize
742B

MD5
f64340a79a17ba766c61df917dc8f763

SHA1
e84216183ad0163727c9027fb856788c189165ee

SHA256
ef9d6b0fd0e25287c4e84ecda3fd73013978727c382e720ca8a28642614ccc96

SHA512
d9c2067ad6becb0cbc20640f25090e5c45d057c613a12c34d5403d0190ae8b4c060e5df066b1489dbbe74df7b1fcce62be2bbaeac7e79ee20c7f3090cce3ad8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F12B.tmp

Filesize
229KB

MD5
348881cc1ae93d54d7e7bb26e3cb4ac3

SHA1
d04c8c2d847836bc620569f03750df248ee521e0

SHA256
4f6760c4df06ef4003334ba3da68d1600a1042aec5562f58de6f4b2e3b3baa6a

SHA512
948d643f7e4d5c3e3571cf6ef9eb5ec34e05b6c36bc84783d1464859daae0613301a559f7f1addaca077ac80e270b5cfc27fe19494808e46a18d7e9ae2afad55

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsi.dll

Filesize
60KB

MD5
b46a277054a58d119d72af954bafe427

SHA1
521212f5e3b5de55d9faa68a407b3711dc2c6de2

SHA256
f0cdb5444f2a984d847600a6f622611ad468a7a344d31b57770e18ba0c817c47

SHA512
1ebcbeb82150f447202433571443c01389e3e85e6f733fe66be3ad76abdb984b8222b6f94e3feb8d322b4b481c89400edd534cf07bf4919eeff5696f0e1fb514

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp01.dll

Filesize
40KB

MD5
ff1c120c29eeb3ed4af0bb2e98d15fd4

SHA1
3cbefd32ce25e59f9187bb2eddb1a8cbec6a8b54

SHA256
071a0231dbdb0da96fdaabc7c60afaf3bf7b367017a03a47cfa3ad059be7b4c9

SHA512
eb31249e4d61220ddfdb3dc6027a9aebee24e75abf0e3dfc219f5742816e7efd2747be91f2722b6d5068335998f40950ed67913d615854fcee23e7f784f423ea

Download Submit
memory/2892-0-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2892-1-0x0000000000877000-0x0000000000879000-memory.dmp

Filesize
8KB

Download
memory/2892-2-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2892-74-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/2892-78-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download