7d50472a10425b4ffd66e4c8911368dc90e28fd24fab60147328031c2cb2efae

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Size

55KB
MD5

ad8a49824630d91ddae5ff9d5536baac
SHA1

0537059762b5255eeee2eb2a1197d5aefb88d67a
SHA256

7d50472a10425b4ffd66e4c8911368dc90e28fd24fab60147328031c2cb2efae
SHA512

5b12ec78336a83370197babeb55f56e4298f8405f61d9a9cedb6f25fb4a86b9ccd4356747bbea9c9325e7fccf3cf87cd908eb092b278cb6f8f98818dedfd17e9
SSDEEP

1536:nABhoTo2nKSsIuvMSEzeUFZevSRmO1iP:nALMv/s1vBEzeU3evSRmtP

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	XinQQ.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	XinQQ.exe

Loads dropped DLL 4 IoCs

pid	Process
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2680	XinQQ.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\XinQQ.exe	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XinQQ.exe	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XinQQ.exe	XinQQ.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XinQQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2680	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2680	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2680	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2680	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	29
PID 2680 wrote to memory of 2596	2680	XinQQ.exe	30
PID 2680 wrote to memory of 2596	2680	XinQQ.exe	30
PID 2680 wrote to memory of 2596	2680	XinQQ.exe	30
PID 2680 wrote to memory of 2596	2680	XinQQ.exe	30
PID 2532 wrote to memory of 2840	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2840	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2840	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2840	2532	ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad8a49824630d91ddae5ff9d5536baac_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\XinQQ.exe
  C:\Windows\system32\XinQQ.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~kpkh!.BAt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~isnb!.BAt
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~isnb!.BAt

Filesize
242B

MD5
d699ab4a198d3c93b6ed508b70795006

SHA1
85c1a2aa51973d9c2a640ffd1edeeb5e6f8ff10e

SHA256
d26b9309cf22240a4165c95fc8a3df7e91698dd3fbce71ce3214659a5eb33ae3

SHA512
ddd4f48fc0b09a5515b2fdb84dbdcdf28272b55aefa1d4cf5d81fc17c0005b70cdeecee53eb68207c4e316e8f37579420e1f57874352e2847a9a41e4a1b680f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kpkh!.BAt

Filesize
132B

MD5
d6ab2fb510aa1bb7197af441a8a7034a

SHA1
c89ce27138003865659d005ee8f329a1e1bda942

SHA256
f9a6e0f59646f4d01890ce89c81e305e9a5dc5e4e9a927abdb4a2a4770c6e8fc

SHA512
ffd60dbd89feddc2475cc946354dbd79d97ff85c49c998ff4ade9e6637f6b5b1301392baafe2d42e62eec724b926a8a0a1cb13b52f845d958f1acbb5cd2d21cf

Download Submit
C:\Windows\SysWOW64\drivers\Beep.sys

Filesize
2KB

MD5
9c6de8ec1e833c478cdce02e95d8684a

SHA1
0363679c31d718c7d46207a4e13c77f9ad513226

SHA256
c96833d8a27557bb6dec827f1a860db6a80615d7e5ac36ef20dce3d937de4025

SHA512
b27292d65f9c54bbc50bce31e4e80b2a18665f9f13e7def2f976381b967af9156332db2f261551d7a8aedb2b8d48286e8be746fe9973a1da983af0a123edab63

Download Submit
\Users\Admin\AppData\Local\Temp\iawki.tmp

Filesize
3KB

MD5
985f9333cfedc06015fd762b3a237ef4

SHA1
c0bdcd8f7390b6cf73cf0409f920b345086b08d0

SHA256
a216924f0022b48ec06218c1519dfbe7c4f27bb2dc18b8055055376b42c16a79

SHA512
25abba00fbfb6e70cdece60b9a899ce44e18447612e8cdea8f1499fb6ddff9a769dd68efdf060e8f3d16d6701a5f3c1768b4423846b1f5937753312d557d306d

Download Submit
\Windows\SysWOW64\XinQQ.exe

Filesize
55KB

MD5
ad8a49824630d91ddae5ff9d5536baac

SHA1
0537059762b5255eeee2eb2a1197d5aefb88d67a

SHA256
7d50472a10425b4ffd66e4c8911368dc90e28fd24fab60147328031c2cb2efae

SHA512
5b12ec78336a83370197babeb55f56e4298f8405f61d9a9cedb6f25fb4a86b9ccd4356747bbea9c9325e7fccf3cf87cd908eb092b278cb6f8f98818dedfd17e9

Download Submit
memory/2532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2532-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2532-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2680-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download