f78d2118f3318591ec609286ba5ffafcd9653481f7d0ddcf16adc4d9e376d558

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
Size

344KB
MD5

b9ff76be44a1a36bcf87495e9cfbe551
SHA1

3782d50d88de2e19e8a744f284e0ce02e9fdaf04
SHA256

f78d2118f3318591ec609286ba5ffafcd9653481f7d0ddcf16adc4d9e376d558
SHA512

6a2c5170031de6965e30ba14eea2cf93cad03d1dc8dc52092f5e1fb6dfc0fb35b630dc39bf61743144550ea9677b13f0cba0406a52624fde7c03154c49a1a4ef
SSDEEP

6144:Iquqge6VH0pwpMnE+XF+DcVkmi3prmICCK:Iege6VH0ppnZXF6gPi3prmICCK

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	maoma1.exe
2468	qiuqiu.exe

Loads dropped DLL 9 IoCs

pid	Process
1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
2296	maoma1.exe
2296	maoma1.exe
2296	maoma1.exe
1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
2468	qiuqiu.exe
2468	qiuqiu.exe
2468	qiuqiu.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\qiuqi1.bat	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
File created	C:\Program Files\Common Files\maoma1.exe	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqi1.dll	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maoma1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiuqiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}	qiuqiu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32\ = "C:\\Program Files\\Common Files\\qiuqi1.dll"	qiuqiu.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2296	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	31
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 1000 wrote to memory of 2468	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 2468 wrote to memory of 2832	2468	qiuqiu.exe	33
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35
PID 1000 wrote to memory of 2984	1000	b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9ff76be44a1a36bcf87495e9cfbe551_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files\Common Files\maoma1.exe
  "C:\Program Files\Common Files\maoma1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Documents and Settings\qiuqiu.exe
  "C:\Documents and Settings\qiuqiu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\DOCUME~1\qiuqiu.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\B9FF76~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\maoma1.exe

Filesize
24.0MB

MD5
a27ba40d7dd9d40e473497c5d4eee0c0

SHA1
49ae79ae140faacf3df8e25ee2a11529ae792172

SHA256
622cc2366581d203b1352139ab5b2200849e9995625ed8610f9edb786c816136

SHA512
abf17af3a9c0c3c274c6c5c74102b29bc8c4a3fa78d57ff8a28c938e8e65fac8d2f824485d92e93c540d102bfce64eab45aa4f9de33506de5f5f726c3991e869

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
eb52dc7173c72b3222cb4e0696031b94

SHA1
9cea6560028c4e9c3b3a89d07c1fcc05e47b84b5

SHA256
be1e30ecb3051e0034d5a5fab56e1ce1530d499b6d6d4f0a9f401df0ae419ed1

SHA512
20fff4f0bbe87fbc2a9785154e132e0ba93dac75d6364283072c70cea50906e7d604a7bbe1c49d586c8a5907f58ddb6ecea8bb57c396a6ea1c51f86357dd3b9a

Download Submit
memory/1000-45-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1000-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1000-6-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/1000-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1000-7-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1000-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1000-2-0x0000000000450000-0x000000000048E000-memory.dmp

Filesize
248KB

Download
memory/1000-13-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/1000-19-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/1000-32-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1000-3-0x0000000000450000-0x000000000048E000-memory.dmp

Filesize
248KB

Download
memory/1000-35-0x0000000000450000-0x000000000048E000-memory.dmp

Filesize
248KB

Download
memory/1000-44-0x0000000000450000-0x000000000048E000-memory.dmp

Filesize
248KB

Download
memory/1000-26-0x0000000000240000-0x0000000000289000-memory.dmp

Filesize
292KB

Download
memory/1000-25-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1000-1-0x0000000000240000-0x0000000000289000-memory.dmp

Filesize
292KB

Download
memory/2296-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2296-29-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2296-28-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2296-27-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2468-41-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2468-36-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download