c12404434c3700090202c22b3146549be537dd8decc4118a6c61efff6ea99204

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe
Size

463KB
MD5

9fdc688e2fb73b9c2dcde13072e4cead
SHA1

0af1b37fd74d0c513d0c8c198b60431b39eb79ea
SHA256

c12404434c3700090202c22b3146549be537dd8decc4118a6c61efff6ea99204
SHA512

c27b643add318466434046ec686dc95c7729d44f950b25370ac53f187061730c1232fa61670b2495fbbe8b80705571803b47b01cd0064b7932f876237d4c3766
SSDEEP

6144:51GWAE418yv9ZhR6/fL0ediFN39op1HpA4hqa5ZjWJqlfV:5Y5RQLClem4MaLjWJqVV

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5596	a.exe
2632	QQ.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"F:\\msdownld.tmp\\IXP000.TMP\\\""	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQ2012 = "C:\\WINDOWS\\QQ.exe"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQ = "C:\\WINDOWS\\QQ.exe"	a.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe
File opened (read-only)	\??\A:	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe
File opened (read-only)	\??\B:	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\QQ.exe	a.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5596	a.exe
5596	a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5156 wrote to memory of 5596	5156	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe	88
PID 5156 wrote to memory of 5596	5156	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe	88
PID 5156 wrote to memory of 5596	5156	9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe	88
PID 5596 wrote to memory of 2632	5596	a.exe	89
PID 5596 wrote to memory of 2632	5596	a.exe	89
PID 5596 wrote to memory of 2632	5596	a.exe	89
PID 5596 wrote to memory of 5900	5596	a.exe	90
PID 5596 wrote to memory of 5900	5596	a.exe	90
PID 5596 wrote to memory of 5900	5596	a.exe	90

C:\Users\Admin\AppData\Local\Temp\9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9fdc688e2fb73b9c2dcde13072e4cead_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5156
- F:\msdownld.tmp\IXP000.TMP\a.exe
  F:\msdownld.tmp\IXP000.TMP\a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5596
- - C:\WINDOWS\QQ.EXE
    C:\WINDOWS\QQ.EXE
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ip set address "±¾µØÁ¬½Ó" static
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5900