241cbd227a864b03695f2a802c1c3db20737a1da203e7c73216fe487e4f7c3f8

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Size

6.2MB
MD5

ea8b6ccde11131b1a8179102b7766906
SHA1

3b3af51b6ed5aab0a993517dadef0280bc85dacf
SHA256

241cbd227a864b03695f2a802c1c3db20737a1da203e7c73216fe487e4f7c3f8
SHA512

d02ab303b1c7aa2726c8c16368979b3001633cffb21c83a46ff83b51a3189dc9780823df65820c60305534dbe67402de2bb9682b4136f281772924c97540d8d6
SSDEEP

196608:8E4e5a7Hc0zwexEzmAscUwG35uIqNVlq2CmAcH1Otku:/pPfexEzgQNLVlb1stF

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2888	deployPkg.exe
2420	deployPkg.exe

Loads dropped DLL 9 IoCs

pid	Process
3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
2888	deployPkg.exe
2888	deployPkg.exe
2888	deployPkg.exe
2420	deployPkg.exe
2420	deployPkg.exe
2420	deployPkg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpiym = "C:\\ProgramData\\KIQQS\\deployPkg.exe /start"	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\history.xml	deployPkg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\weiduan Legend Files Update Ver 2024919.job	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deployPkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deployPkg.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\deployPkg.exe = "7000"	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	deployPkg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Token: SeDebugPrivilege	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2888	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2888	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe
Token: 33	2420	deployPkg.exe
Token: SeIncBasePriorityPrivilege	2420	deployPkg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	deployPkg.exe
2888	deployPkg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2888	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2888	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2888	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe	33
PID 3056 wrote to memory of 2888	3056	ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe	33
PID 620 wrote to memory of 2420	620	taskeng.exe	36
PID 620 wrote to memory of 2420	620	taskeng.exe	36
PID 620 wrote to memory of 2420	620	taskeng.exe	36
PID 620 wrote to memory of 2420	620	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8b6ccde11131b1a8179102b7766906_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\ProgramData\KIQQS\deployPkg.exe
  C:\ProgramData\KIQQS\deployPkg.exe /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {6BE0F786-6356-46C3-B246-018ACF7B3529} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\ProgramData\KIQQS\deployPkg.exe
  C:\ProgramData\KIQQS\deployPkg.exe /check_update
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7kLegend_Data\softinfo.ini

Filesize
259B

MD5
af9a3e345a2567e54028a480ff5ce7f9

SHA1
1f1460262cff853109647de2c09cad0fdb3e5650

SHA256
3b895fa3190cf38573ea19871019d7ab3ef517009bc0993c84cae89587213288

SHA512
9b6eb3e154cdce23824573db3f2618a0737958c0800e9ce96533c6305e6c8fdaf8b6dd94ed0e45e96687aaf14b5ddc907f19b27f7859806d347492ae47f6aa1f

Download Submit
C:\ProgramData\7kLegend_Data\softinfo.ini

Filesize
67B

MD5
8c9d774c10ec5dc44ba95098614fdf7e

SHA1
ebc161f569927dceaca1fa2cab3b25b16d554964

SHA256
02690420fc200ca60fc75f0fbb3dc83df0065f4841e2e34b2db5a29ac372e679

SHA512
20d5b768fdc8ddcfa69c91d32c5c8a3bb7871c24315de46fd2f5b2bc2c367cd6c6a180b456d3081a22670de8cb0a303aefb52e5b1c848f51723fa9d3129897f7

Download Submit
C:\ProgramData\7kLegend_Data\softinfo.ini

Filesize
319B

MD5
dd84f6c60f777db62d3d57df793b6baa

SHA1
9f0f4f68a9a4f759b8fd1e7c33401bd175ba3846

SHA256
e8c414c8daee187a920a5635ba8c07c561ec7a708e3ddf71c36ec4913a1fa980

SHA512
65581212773b69f5cc0b8e9ea5dc02926a7ed64376058e185a1efb47bf84e569e949a94908db62429e446a308a43dfa017985c61adc225902a6b7a9f183dc559

Download Submit
C:\ProgramData\KIQQS\skin\default.mkres

Filesize
132KB

MD5
333aeeb784998eaedd334b8b1b23f9ac

SHA1
43fc5b2b149cd57010499e42977ab72c92eeed68

SHA256
8a5e1d90e0b249bb47189c2dd692f19361dc379f39b645dd8688c50e5ebe2393

SHA512
28d541213be538cbf11963db210d0bfcd58c7eae6e4e5f5f6e397ad90572061e46079d7c91a7b32a32e074c9669271591096fd1233f2316427d8136a075a1bb1

Download Submit
C:\ProgramData\KIQQS\unins000.exe

Filesize
190KB

MD5
16aecc5630a969548e49d9270217fd1a

SHA1
eec7139c6713218bc3b5f2752dc677e6ec4058c0

SHA256
c29a43ad42509aa1dd5f5ee927ff645a3e7b76bb018186421844e19408b4c4d5

SHA512
ff3d55254a3393ac1f0a9eea4c5db5b026e46912654f5932f70ed7fd4ab5d38587b9b7ecef5f00b10c6dd7381bf9c056faee5a5eafa6fa555bc9761e448ecdbc

Download Submit
\ProgramData\KIQQS\deployPkg.exe

Filesize
2.8MB

MD5
42328b26b15aa4158b8900eef58d7b7f

SHA1
83bae840777e3a3d4f5b865834d1db15c9dbda23

SHA256
e5176ac21138b70ade8ea91b5a13834ecf5dfeff7cb1cbba8674eec780bc5fb3

SHA512
9a56e6da3ae9f3eb372fca86b887c392a0ed81bc0654a3ea94283994937df7625b7473b1694b9dc14e27b616a835e8d06b4b7ca1c2d6b8fb1222d1f83b2e644e

Download Submit
\ProgramData\KIQQS\libllk.dll

Filesize
109KB

MD5
283269d249daa4e2a6dff6436dfda738

SHA1
1f82d61291966174bb0c2c314dfa8776a9bb2a8f

SHA256
4fca960624bc81439be267770cc023faacce478c25b3b5fb85d24a48e9701629

SHA512
d38cfa7a0249e7e5db1ae352ee5616a7bfc493a76bfea725e9b30b2884c171bad142666c5121a02adc930b79d45503bd1e858964dd02e6a96c3b3506724709aa

Download Submit
\ProgramData\KIQQS\llkui.dll

Filesize
548KB

MD5
185bc27b8f2224e89f001f67b94e978c

SHA1
33e519f2a7561aee21c69b75de88c19012c13151

SHA256
c7bf322805a0624c5dd78d33e6dcf5e335031325e75b52d57fd9abd596f402e7

SHA512
05f2f0cd14d3876a384e3d9de1cd4fdb7e0f233db9a41f4a7328e045fd007c44816f08545a3b099b96447ecf6cc9e3ab36f414e9493bcb4ecc7998a14314efab

Download Submit
\ProgramData\KIQQS\weiduan.dll

Filesize
1.2MB

MD5
c91ab5e94b364d3cc27c4dc33409020c

SHA1
73646da6b6133de158437fb4230074e0298f36bb

SHA256
dd780f0450718a830b2a66da89e75f8e3458ae4ec9aa177abaaa3059e1c2002b

SHA512
8c32f73b58314f0272c9264c62d1f6448573ae216196ed14b7bebfa4167ac48d5fa6af5ab7897faa6202055f9ad299dc3a70d5a2c5c192160259d07f0e6034eb

Download Submit
memory/3056-51-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/3056-50-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download