Overview

overview

7

Static

static

3

2952565af3...18.exe

windows7-x64

7

2952565af3...18.exe

windows10-2004-x64

7

$0/queryscan.dll

windows7-x64

1

$0/queryscan.dll

windows10-2004-x64

1

$0/queryscan.exe

windows7-x64

3

$0/queryscan.exe

windows10-2004-x64

3

$0/uninstall.exe

windows7-x64

7

$0/uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 02:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    2952565af33a0cb6a73ba71ac682af7b

  • SHA1

    00d86920186b966ecdc9af702f92fc18954cd1d9

  • SHA256

    742f5cf6c1a88e32ee398e3523a57cce43046c2e056546a055516fe53a9cdb5b

  • SHA512

    d58015ff7a83bea56b0bc8b9189fe9ebd5dbf8ac1e8cb125eb570fd9b131b9d2c8dff9e10918bde4fd41daeb5eb04b2b936d58ccf868c437e4a6a77c20e5fad0

  • SSDEEP

    12288:pCldMgQ//KsoLGO/nHokkiMew+AWTVhJEKA0RC66pa3kRelbh8hpEbIzjA:pX//KsyGO/Iklxbr+X0RX8UkIGxs

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2952565af33a0cb6a73ba71ac682af7b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.exe
      "C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.exe" "C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.dll" 645235459
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4676
    • C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.exe
      "C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.exe" "C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.dll" idifunofo " " gudotocab
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2972
  • C:\ProgramData\QueryScan\queryscan142.exe
    "C:\ProgramData\QueryScan\queryscan142.exe" "C:\Program Files (x86)\QueryScan\queryscan.dll" ovekisap nujigupu
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Program Files (x86)\QueryScan\queryscan.exe
      "C:\Program Files (x86)\QueryScan\queryscan.exe" "C:\Program Files (x86)\QueryScan\queryscan.dll" tocaburoja woxasekeh
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsp92EB.tmp\InstallOptions.dll
          Filesize

          13KB

          MD5

          d765c492c21689e3d9d61634371fd861

          SHA1

          ac200933671ae52c9d5544d0e2e8e9144d286c83

          SHA256

          551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

          SHA512

          9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsp92EB.tmp\System.dll
          Filesize

          10KB

          MD5

          fe24766ba314f620d57d0cf7339103c0

          SHA1

          8641545f03f03ff07485d6ec4d7b41cbb898c269

          SHA256

          802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

          SHA512

          60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsp92EB.tmp\ioSpecial.ini
          Filesize

          612B

          MD5

          dc2307a01631b598a79a8855ddf8cbb6

          SHA1

          9c5f22916b18f0fc0d954d1cf0dc9c348bd5072c

          SHA256

          fafeb5093f3d9d5ec777bad34d57e9fe01bc4c64122dd7b8ab9d7388bc421790

          SHA512

          6e22c6c59a04b08c7e21cee36897c39363798a7ecbe9810b2ce26e3b002506ac7881f8b6e1d6d37afbcbc6e31d7c44a5ceae12b57ddbcbc2ff5a9dc234683713

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsp92EB.tmp\ioSpecial.ini
          Filesize

          612B

          MD5

          ac29b1c93e847c4ef967ab4083dd9ac0

          SHA1

          4ca5f486984b4a3b315d549e93ea4df80dada665

          SHA256

          4fbdd1fccd58cc4149072371664005c75f7d9fd096cf1a28446688c820ed1e4c

          SHA512

          9b45fd2bffc564a31e3e7bde9589aead754b4a2bf187bddfe4484579a5f2b64882e9b15e265cde81faf29c1c19a21c6b368f9dc2717b2b9c2936e863f75dfd8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsp92EB.tmp\ioSpecial.ini
          Filesize

          750B

          MD5

          cb1304ba6ebced4ae3ca0bbb623721de

          SHA1

          84b0401f0b02215e0f23137a3f97032f840331a1

          SHA256

          b49b5d354387eae5cb0cf9293deade20ed61d6c64f4df00eaa4e8b316ebb8487

          SHA512

          d88a1098e23992661adf42afe676ccc3ff637b0b863bcc438e4b301b1139d4c5ddb6b8fe62facfcc1fb9a0b27cee703df94f1b03753e5c3b2acdde5d8f0a1e33

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.dll
          Filesize

          576KB

          MD5

          d37dfa156393bc963135204ca258d9bc

          SHA1

          0c1da26fb8872ac431f3eecb2f08f0b4a894f697

          SHA256

          7f0b8cab7bd5a65566f512f0b9d62668a0c5ef11adb3029f43a1911a2f7909a5

          SHA512

          73989a91e7380c6a7ecdedc0f24888894c60fc16d30244eeecd862b92568e71118305da6c9f2357cbc7f6bd5bda2211a1cca17e4f4ae8b2465628a3d810861fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\queryscan.exe
          Filesize

          25KB

          MD5

          d9e855c7182e25f5c9d8f234234c8787

          SHA1

          c1bded1b95cd50f2292f3b21e8ca9123bc798edc

          SHA256

          6ccd36338173ace5eb07a6bb97620d9c5ab1222363b33a924b273a4e7f631fd3

          SHA512

          0471715589e4730f6eee9e20356ed3da2e30405956cab4839fa6aa0f084366d156639c4fc6c1e6a4fa17cff678c1411dd1f4e951bf02e41733650f406131d933

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsuC5D3.tmp\uninstall.exe
          Filesize

          78KB

          MD5

          bb6e99a6101293b86ba5478b1d1e1193

          SHA1

          e7766fad214954ef27a14144b6fb769362701555

          SHA256

          44625efb63fb453277c586f78c3926bad2e33719f26319d13ba88c606a195a8e

          SHA512

          e8fc516539a103e7f336f166a8ae1e7711ec4f4b58f4c878a0db1872f67c91769b1025cc823faab0d4149971bbe5598411579841698bd902d5156f71002e4e2a

          Download Submit

        • memory/808-107-0x0000000000640000-0x00000000006C6000-memory.dmp

          Filesize

          536KB

          Download

        • memory/2588-204-0x0000000005850000-0x00000000058E1000-memory.dmp

          Filesize

          580KB

          Download

        • memory/2588-205-0x00000000058F0000-0x0000000005976000-memory.dmp

          Filesize

          536KB

          Download

        • memory/2968-195-0x00000000004E0000-0x0000000000566000-memory.dmp

          Filesize

          536KB

          Download

        • memory/2972-96-0x00000000006E0000-0x0000000000766000-memory.dmp

          Filesize

          536KB

          Download