db85071114c8a9d9f3955ed94fa0e23dc7f80b6db815180f0de613cb3651e449

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
Size

708KB
MD5

a0c7f6dc2181a03822d80b89e3eb23b6
SHA1

24d32b7cf785f015f042e7e2775b685aa05e44bd
SHA256

db85071114c8a9d9f3955ed94fa0e23dc7f80b6db815180f0de613cb3651e449
SHA512

1e2782e13b0563a34c9dcf40146061642665c8ea9d2c90cc10969e7bb4ed2f6929c216719f76a649f927e4a8fc9b69c122591494fd09d9e1071fa13040a76d30
SSDEEP

12288:LwKQPwAuox7TnLPBG/qoHXwIAKP7r9r/+ppppppppppppppppppppppppppppp0G:GwAuox7TU/F3TP1q

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2812	qqzone.exe
2532	qqzone.exe
2476	qqzone.exe

Loads dropped DLL 7 IoCs

pid	Process
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2812	qqzone.exe
2812	qqzone.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-10-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2656-4-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2656-7-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2656-33-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2532-64-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\AZiqn = "C:\\Users\\Admin\\AppData\\Roaming\\@OFF\\qqzone.exe"	qqzone.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\z7x0Lv4d3 = "C:\\Users\\Admin\\AppData\\Roaming\\@OFF\\qqzone.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2812 set thread context of 2532	2812	qqzone.exe	32
PID 2812 set thread context of 2476	2812	qqzone.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqzone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqzone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe
Token: SeDebugPrivilege	2532	qqzone.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
2812	qqzone.exe
2532	qqzone.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2656	2728	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2812	2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2812	2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2812	2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2812	2656	a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2532	2812	qqzone.exe	32
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2812 wrote to memory of 2476	2812	qqzone.exe	33
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 2532 wrote to memory of 1548	2532	qqzone.exe	34
PID 1548 wrote to memory of 2948	1548	bitsadmin.exe	36
PID 1548 wrote to memory of 2948	1548	bitsadmin.exe	36
PID 1548 wrote to memory of 2948	1548	bitsadmin.exe	36
PID 1548 wrote to memory of 2948	1548	bitsadmin.exe	36
PID 2948 wrote to memory of 1564	2948	cmd.exe	38
PID 2948 wrote to memory of 1564	2948	cmd.exe	38
PID 2948 wrote to memory of 1564	2948	cmd.exe	38
PID 2948 wrote to memory of 1564	2948	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0c7f6dc2181a03822d80b89e3eb23b6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe
    "C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe
      "C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORHBX.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "z7x0Lv4d3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1564
  - - C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe
      "C:\Users\Admin\AppData\Roaming\@OFF\qqzone.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ORHBX.bat

Filesize
142B

MD5
9ab34ce633d5269f04e58ab1877c008c

SHA1
df4356195278c3249072de4d3e3fbcbe2ac3d21f

SHA256
8aa118775d1829cc57a6177404d0967357a22adc48025ecc66e5eb6993901f25

SHA512
2d09626fc054d5c8db177467ae27d9c4e41d387c34955091db094752aede48aceb72e6939c3ff9072b30a4a546a1a41bbf1e5cb135380db789d22cf4d269e070

Download Submit
\Users\Admin\AppData\Roaming\@OFF\qqzone.exe

Filesize
708KB

MD5
f3ec521c33fe58590ad2096a961ea872

SHA1
053a019d0de09ed98edd7a229aaae1cb8c193804

SHA256
7de4e95810e95f8def1f5430255de863de704e79fbb0845ba0a2ee6b8353f6ca

SHA512
29d5c6aff08c5d44ed379ea84fb630ae47d33b66800809e88e785cdc061c5643bd17e2413bae2648fbe8352683415014f10c8b284de775c63a7bd5cffc8c5706

Download Submit
memory/1548-59-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2476-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2532-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2656-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2656-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2656-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2656-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-2-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/2728-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2728-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2728-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads