39ce77765b5120f1b53faebb740d2725903f9551a6868532be717cc5a235bcd4

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
Size

117KB
MD5

083b315b61405053b6431e91f25ba4fb
SHA1

423ecbeb7402129d34ba7abd39a45ff51882d721
SHA256

39ce77765b5120f1b53faebb740d2725903f9551a6868532be717cc5a235bcd4
SHA512

1d7fe3e525b3e30cd59e7189cb0060750bf9bf66326d7f51b2e8409da199d535044592dee4a57e137697359b0839894716bfa708d94f5270c64b8b98381c3e48
SSDEEP

3072:Qxvmpm2yKept6op+s+5fTRaqym0WkJificeFaL:IKep1Iss4qGR0fipFa

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	Qgywaa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCSCPW1HKH = "C:\\Windows\\Qgywaa.exe"	Qgywaa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
File created	C:\Windows\Qgywaa.exe	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
File opened for modification	C:\Windows\Qgywaa.exe	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgywaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	Qgywaa.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\International	Qgywaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe
2824	Qgywaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2824	2960	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2824	2960	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2824	2960	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2824	2960	083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Qgywaa.exe
  C:\Windows\Qgywaa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Qgywaa.exe

Filesize
117KB

MD5
083b315b61405053b6431e91f25ba4fb

SHA1
423ecbeb7402129d34ba7abd39a45ff51882d721

SHA256
39ce77765b5120f1b53faebb740d2725903f9551a6868532be717cc5a235bcd4

SHA512
1d7fe3e525b3e30cd59e7189cb0060750bf9bf66326d7f51b2e8409da199d535044592dee4a57e137697359b0839894716bfa708d94f5270c64b8b98381c3e48

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
c48144daad8b302fc57d5e10c71e3b82

SHA1
3056ba8ee1a070f04fab369bc1fc4b6ab415587f

SHA256
c178a43f16cb9b344f503acc5a0db4d008155db5a00f8044e64c1ad07f0e6139

SHA512
4d3756969be388d0d8834099b277e5f48a4861a259679ab0d18b07d3c5f4bcb62019bd392fe324dd92df4652d3fff74d038f668a0b8fd116fb97a1383e6f5265

Download Submit
memory/2824-48192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48052-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-48195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-48194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-20358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-0-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download