6f198ab9fdebd92109c538a017ebe3472ff6f89574143ab0f8513415dca0fa1c

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe
Size

1.0MB
MD5

b186f9c36549713786c8e4fa21521250
SHA1

5788235bc187b6d14b44d557f3cdb742c050d43f
SHA256

6f198ab9fdebd92109c538a017ebe3472ff6f89574143ab0f8513415dca0fa1c
SHA512

53d5beb6c26e0d0fb93735e4e4f5f48f3df466fadb81606027e52ea3cdcd4d7b5b12b567f5fb2043361fa360ba49a1a176f1f104ab3702e91d280374166667c2
SSDEEP

24576:Pc//////5jXTE2ShwRuOmVrO4fQjAktJUuXoUacYav6SziYeX/zez:Pc//////5jXTETc6O/ZtJUuXoUQQeXbu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	opplayw382.tmp

Executes dropped EXE 7 IoCs

pid	Process
4976	PPLive6909.exe
912	opplayw382.exe
1812	opplayw382.tmp
5012	pplivetj.exe
3336	Loader_forqd236.exe
3440	cstv.exe
1304	filmso.exe

Loads dropped DLL 5 IoCs

pid	Process
4976	PPLive6909.exe
1812	opplayw382.tmp
1812	opplayw382.tmp
1304	filmso.exe
1304	filmso.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-7RCFC.tmp	opplayw382.tmp
File opened for modification	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\unins000.dat	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-QS3AF.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-PVGQJ.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-SAVMB.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\sogouInput\is-5R5ER.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\sogouInput\is-UGLA3.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-KN0JP.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\data.dat	cstv.exe
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\unins000.dat	opplayw382.tmp
File opened for modification	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-QS3AF.tmp	opplayw382.tmp
File created	C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\is-TMS21.tmp	opplayw382.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opplayw382.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader_forqd236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cstv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opplayw382.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pplivetj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filmso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PPLive6909.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023444-4.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	opplayw382.tmp
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync	cstv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	cstv.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cstv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	cstv.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.henbianjie.com"	opplayw382.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5012	pplivetj.exe
3440	cstv.exe
3440	cstv.exe
3440	cstv.exe
1304	filmso.exe
1304	filmso.exe
1304	filmso.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3932	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	84
PID 1540 wrote to memory of 3932	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	84
PID 1540 wrote to memory of 3932	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	84
PID 1540 wrote to memory of 4376	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	85
PID 1540 wrote to memory of 4376	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	85
PID 1540 wrote to memory of 4376	1540	b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe	85
PID 4376 wrote to memory of 4976	4376	cmd.exe	88
PID 4376 wrote to memory of 4976	4376	cmd.exe	88
PID 4376 wrote to memory of 4976	4376	cmd.exe	88
PID 3932 wrote to memory of 912	3932	cmd.exe	89
PID 3932 wrote to memory of 912	3932	cmd.exe	89
PID 3932 wrote to memory of 912	3932	cmd.exe	89
PID 912 wrote to memory of 1812	912	opplayw382.exe	90
PID 912 wrote to memory of 1812	912	opplayw382.exe	90
PID 912 wrote to memory of 1812	912	opplayw382.exe	90
PID 4976 wrote to memory of 5012	4976	PPLive6909.exe	91
PID 4976 wrote to memory of 5012	4976	PPLive6909.exe	91
PID 4976 wrote to memory of 5012	4976	PPLive6909.exe	91
PID 4976 wrote to memory of 3336	4976	PPLive6909.exe	92
PID 4976 wrote to memory of 3336	4976	PPLive6909.exe	92
PID 4976 wrote to memory of 3336	4976	PPLive6909.exe	92
PID 1812 wrote to memory of 3440	1812	opplayw382.tmp	93
PID 1812 wrote to memory of 3440	1812	opplayw382.tmp	93
PID 1812 wrote to memory of 3440	1812	opplayw382.tmp	93
PID 1812 wrote to memory of 1304	1812	opplayw382.tmp	94
PID 1812 wrote to memory of 1304	1812	opplayw382.tmp	94
PID 1812 wrote to memory of 1304	1812	opplayw382.tmp	94

C:\Users\Admin\AppData\Local\Temp\b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b186f9c36549713786c8e4fa21521250_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\opplayw382.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\opplayw382.exe
    C:\Users\Admin\AppData\Local\Temp\opplayw382.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\is-PPKKS.tmp\opplayw382.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PPKKS.tmp\opplayw382.tmp" /SL5="$901D2,631297,73728,C:\Users\Admin\AppData\Local\Temp\opplayw382.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\cstv.exe
        
        "C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\cstv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3440
    - - C:\Program Files (x86)\sogouInput\filmso.exe
        
        "C:\Program Files (x86)\sogouInput\filmso.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\PPLive6909.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\PPLive6909.exe
    C:\Users\Admin\AppData\Local\Temp\PPLive6909.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\pplivetj.exe
      "C:\Users\Admin\AppData\Local\Temp\pplivetj.exe" 6909
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\Loader_forqd236.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader_forqd236.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sogouInput\ethernet.dll

Filesize
87KB

MD5
50c334530645dcddaf6f1f7e95b1cb22

SHA1
e957342fc048fbb7fef8216880a2c8451732fd5f

SHA256
8a7b8a6fc36d550fc74e1dffab8b026c8269f4fd6ef66744bbf4eb9844cfc1a9

SHA512
ab46e5c0a59c8239cfdc14a976ad377d4a876bf0cfb6e1144fa73d6db8597628e530ad0722b5a9e14a22aa02b6ce0df89cabe631f2e3c75109617515bb475e0d

Download Submit
C:\Program Files (x86)\sogouInput\filmso.exe

Filesize
52KB

MD5
35401c4ea2d61eb84cfc3ae67de0002b

SHA1
87d46379f48549853f775939433449aa8f64bc9f

SHA256
601f83f256e253ea01c10d01cd0f7ad69b4da92c6ce56631e383374d1834bcfd

SHA512
c0a92e7d3bde8d4a87824619c1f0c290c08b7aedd4984fb46d953b7950fbaa3451e3f3b676eb4d24c1ff21e828faba0e5dd6490ef8175978f25ab54df02ae5e1

Download Submit
C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\cstv.exe

Filesize
1.2MB

MD5
3f1814e50469a9d48785b5fa6afeca69

SHA1
0588332d952bf2fc49971fb1dd01af04a7312ac3

SHA256
aef8990f8d1b24926a57bac724585445937c736c2f11c706c6fc2ddfb456b13e

SHA512
616b2a1f3e4d9fb637057a2702424957b3bd6bd6b54a5ed1d3627390655e926c83e20518cb46555383c76d0e131ec1ca501e372b391809bd0a5537cf42b74be6

Download Submit
C:\Program Files (x86)\³©Ë¬ÍøÂçµçÊÓ\unins000.exe

Filesize
716KB

MD5
197f764cff47b30caf5e21502f2af24f

SHA1
694d7de8f9afb2f189d9000cc103ded3217ce72a

SHA256
90dc781e0c25daa806efb81df04833dfab077a889c03fce5fadac870ac08050c

SHA512
0c5e0e1b9e0e8a5bb98b0f888a2237b158dc992b77ca02a352d7aa6b2ddcc7a298ceffda697953b7d5cbc296542934f49c289b3bc5d37895bf38bcdf19e2b46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader_forqd236.exe

Filesize
57KB

MD5
778a663676dd303d46d844259513bbe2

SHA1
4bbb24e0f3cf75d70828841c05745454c20577da

SHA256
c68f4ce6b20da5c9f5e21ef6ed4d51ad521a6e08ca30d5b36125e548e72dd65b

SHA512
36b5f57ed5004f0ebec0a4919ff58c0816c9c529d32b034345dae4490801f338e66e35b780a34468ac23d3ff35300e2bb2e4557b56dd8dab6197b9efab526de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPLive6909.exe

Filesize
106KB

MD5
a354b8bcc9ec8548c40a02af20e5f091

SHA1
e60d083a859012f5539e1936d63c827f70d4f5a0

SHA256
d6598f6c4ed2b33d1e114bfe763320f44537795dce5f0c9adab9aa37c4160e46

SHA512
eb2c5964f9d4f7700acc623e68ad791e0ed16d6d339276b9e8bef328ba3950fa6293a32128ae15d159d4747d7631b568380f830b62880c72a147dc65a1925614

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7CD0A.tmp\LnkHelper.dll

Filesize
88KB

MD5
b1d5d93e52a50ccf04f8df7889b5d77d

SHA1
0ab0fde0261137fcfd6cbc9399d1bbb1ba02e2b8

SHA256
49ee4e70b766a8ed0c71d0849543280175dcb1dfd216b036638601b3c2cd1ca0

SHA512
e1e5d63a28e57069fdd9c8f9a9fee43e137ce95d7791fbf354df7e19e5dee3e279307e388e25572367f1ffdc155d4d31f69b9afb056081e79ad2ba7dab3ecb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PPKKS.tmp\opplayw382.tmp

Filesize
710KB

MD5
a111f129667ad83830280ac7c1e79312

SHA1
9bfe48980f60136ee91904b4d9440669a5482ec0

SHA256
c588ab2a50574d89f04088190b6347a3997fdc09729fc69525cfff19b0996f42

SHA512
3b92cd416cc4166b210f6fac2bffcf36f80f707c50fe06c927b5852d1fd6c6147cd7d8487176aff9fb8ce12768985c564fcd3022ca697b3505c4b5510bb5c484

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DE.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\opplayw382.exe

Filesize
869KB

MD5
b0efbc0b89380b9d2858b089ccdc8f8e

SHA1
477f8abc439fc97883b37712f7e9ce2ffa96ffa3

SHA256
8047ccb534c390396f41e4e8f46cdd975db650ce8a7898fa928bb1882b0c4b7e

SHA512
954dbd98af02de2618da597a479ed0875d03b685f156442f325ea4be0cff3b08311843cab5734babe4c23290b4615be829f5b94e482ea58a503f783281565d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\pplivetj.exe

Filesize
100KB

MD5
7d6a1c6a9f789d317e4d8e0c8091be0c

SHA1
b18e29bd9bf6624f23070a1e3a9c3083aac041f7

SHA256
b394f43c1ad591b7714740ebdbc54bc51fbb45b25c226f045e2621e98baaa99f

SHA512
a0c5d38918430cf56850ef4930ef79ab71f3544bf9c0aba480d9521eadf2575b5cc623ebd62e3afc3d8924ee37dca21a760ff150d86dbec262e73676e83a9fae

Download Submit
memory/912-12-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/912-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/912-117-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1304-121-0x0000000003B10000-0x0000000003B2B000-memory.dmp

Filesize
108KB

Download
memory/1304-124-0x0000000003B10000-0x0000000003B2B000-memory.dmp

Filesize
108KB

Download
memory/1540-2-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1812-22-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1812-97-0x0000000005720000-0x000000000573B000-memory.dmp

Filesize
108KB

Download
memory/1812-116-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads