Overview

overview

7

Static

static

3

2952565af3...18.exe

windows7-x64

7

2952565af3...18.exe

windows10-2004-x64

7

$0/queryscan.dll

windows7-x64

1

$0/queryscan.dll

windows10-2004-x64

1

$0/queryscan.exe

windows7-x64

3

$0/queryscan.exe

windows10-2004-x64

3

$0/uninstall.exe

windows7-x64

7

$0/uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    2952565af33a0cb6a73ba71ac682af7b

  • SHA1

    00d86920186b966ecdc9af702f92fc18954cd1d9

  • SHA256

    742f5cf6c1a88e32ee398e3523a57cce43046c2e056546a055516fe53a9cdb5b

  • SHA512

    d58015ff7a83bea56b0bc8b9189fe9ebd5dbf8ac1e8cb125eb570fd9b131b9d2c8dff9e10918bde4fd41daeb5eb04b2b936d58ccf868c437e4a6a77c20e5fad0

  • SSDEEP

    12288:pCldMgQ//KsoLGO/nHokkiMew+AWTVhJEKA0RC66pa3kRelbh8hpEbIzjA:pX//KsyGO/Iklxbr+X0RX8UkIGxs

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.exe
      "C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.exe" "C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.dll" 645235459
      2⤵
      • Executes dropped EXE
      PID:2452
    • C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.exe
      "C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.exe" "C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.dll" idifunofo " " gudotocab
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:3012
  • C:\ProgramData\QueryScan\queryscan142.exe
    "C:\ProgramData\QueryScan\queryscan142.exe" "C:\Program Files (x86)\QueryScan\queryscan.dll" ovekisap nujigupu
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Program Files (x86)\QueryScan\queryscan.exe
      "C:\Program Files (x86)\QueryScan\queryscan.exe" "C:\Program Files (x86)\QueryScan\queryscan.dll" tocaburoja woxasekeh
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsj781F.tmp\ioSpecial.ini
    Filesize

    612B

    MD5

    e78ea1c368e193e4dabbe7537b9fe5ca

    SHA1

    d32a426df6267a117dacccb007a9a0d2ca8e1b57

    SHA256

    cfa4b50134b586734aa656ecda06deeb8ea3e70359d3d2b21e6344157bdb8969

    SHA512

    27134501594584b34362c367865dfe091e753a74a5548e0384f87fd03b3b3ce4fc9c8a22c73c2928eaeccad2641cc01c50af6312d9861bafed3aaba4e38fab25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsj781F.tmp\ioSpecial.ini
    Filesize

    750B

    MD5

    ed444fe1391075ab21123dc551d7ecad

    SHA1

    6592867a06875ba401ef2e41704122285f2b9718

    SHA256

    a1ca8bd21aba8d232c46afbf7e533246f7d13bbaa73435b7836ec8e8db446648

    SHA512

    bfc7fa313dd9f0ed4408e983ac1fe7ae466366d286b204d68a653338e6b942be08a00e1e27135aca79a70d9500eea8444fa6c60b2d31b7fcf021181a0822320d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.dll
    Filesize

    576KB

    MD5

    d37dfa156393bc963135204ca258d9bc

    SHA1

    0c1da26fb8872ac431f3eecb2f08f0b4a894f697

    SHA256

    7f0b8cab7bd5a65566f512f0b9d62668a0c5ef11adb3029f43a1911a2f7909a5

    SHA512

    73989a91e7380c6a7ecdedc0f24888894c60fc16d30244eeecd862b92568e71118305da6c9f2357cbc7f6bd5bda2211a1cca17e4f4ae8b2465628a3d810861fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.dll
    Filesize

    576KB

    MD5

    44870576e69024e79a2dddc9afe0d2ce

    SHA1

    ab20f8bb36340611dc5f94f5d309cbb47b8a5cc7

    SHA256

    e1b671e2ba6091f973fc63aec6d75a5afbdaf61c1a4280ec7fa24a20fc479e18

    SHA512

    5cd9d58a6ac83830bc39fdaf6f0e46b3685adb5c62506b835610786b3b574fc8bbe4f06d9507af4d300d228fa05fea1122b69cfd2b9a5abb42f855ce6e0d618a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\uninstall.exe
    Filesize

    78KB

    MD5

    bb6e99a6101293b86ba5478b1d1e1193

    SHA1

    e7766fad214954ef27a14144b6fb769362701555

    SHA256

    44625efb63fb453277c586f78c3926bad2e33719f26319d13ba88c606a195a8e

    SHA512

    e8fc516539a103e7f336f166a8ae1e7711ec4f4b58f4c878a0db1872f67c91769b1025cc823faab0d4149971bbe5598411579841698bd902d5156f71002e4e2a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj781F.tmp\InstallOptions.dll
    Filesize

    13KB

    MD5

    d765c492c21689e3d9d61634371fd861

    SHA1

    ac200933671ae52c9d5544d0e2e8e9144d286c83

    SHA256

    551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

    SHA512

    9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj781F.tmp\System.dll
    Filesize

    10KB

    MD5

    fe24766ba314f620d57d0cf7339103c0

    SHA1

    8641545f03f03ff07485d6ec4d7b41cbb898c269

    SHA256

    802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

    SHA512

    60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjAC3A.tmp\queryscan.exe
    Filesize

    25KB

    MD5

    d9e855c7182e25f5c9d8f234234c8787

    SHA1

    c1bded1b95cd50f2292f3b21e8ca9123bc798edc

    SHA256

    6ccd36338173ace5eb07a6bb97620d9c5ab1222363b33a924b273a4e7f631fd3

    SHA512

    0471715589e4730f6eee9e20356ed3da2e30405956cab4839fa6aa0f084366d156639c4fc6c1e6a4fa17cff678c1411dd1f4e951bf02e41733650f406131d933

    Download Submit

  • memory/1292-209-0x0000000000410000-0x0000000000496000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1992-217-0x00000000045A0000-0x0000000004631000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1992-218-0x0000000004640000-0x00000000046C6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2940-120-0x0000000000310000-0x0000000000396000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3012-109-0x0000000000220000-0x00000000002A6000-memory.dmp

    Filesize

    536KB

    Download