Analysis

  • max time kernel
    125s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 03:43

General

  • Target

    2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    2a32d59033987e44506dbe9ab04d534c

  • SHA1

    1ba5b7c12547d2500820e03ab73097b097e305ad

  • SHA256

    ee77f0509aec326d0397600440f4d5e7f0b05de8aead2d6ed067a8a1b18cdfe3

  • SHA512

    044d05aca28d205cbaff381317b34a8d93a7846dcb2be31d74c370f7c55dacdfe1c17d264e9d33668588d836b7446e462be855cd48f3aa31cfd3111e58472233

  • SSDEEP

    49152:6ffy4NwrQoDE0uaXxl9LC2v2UZGglxh5ozMP4NQQOSr5k/I4XTZGfVuK:6ffyvuM9LCC2UfYz24NQdWC/IgT3K

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a32d59033987e44506dbe9ab04d534c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\hahagame.exe
      C:\hahagame.exe /sp- /silent /norestart /verysilent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Users\Admin\AppData\Local\Temp\is-HIDV7.tmp\hahagame.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-HIDV7.tmp\hahagame.tmp" /SL5="$D0068,1630806,72704,C:\hahagame.exe" /sp- /silent /norestart /verysilent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3596
    • C:\game.exe
      C:\game.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3512
    • C:\maxthon.exe
      C:\maxthon.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\download.exe
        "C:\Users\Admin\AppData\Local\Temp\download.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\todeletetif.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2872
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.hahayouxi.com/act/ConfigDownLoadList.html
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.hahayouxi.com/act/ConfigDownLoadList.html
            5⤵
            • Modifies Internet Explorer settings
            PID:2712
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 4072
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 0
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:5008
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17416 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2244
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?tianji
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8QIYGRW7\wanwang.aliyun[1].xml

    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3E450467-863B-11EF-B9B6-4A034D48373C}.dat

    Filesize

    5KB

    MD5

    da0641d072b77009faec0e1fe318f237

    SHA1

    b8ee750bccf4fd131478145a9feb542d3737e079

    SHA256

    bc9823fe53056649c99e1fbebcec3b449528873792e69658475966d61960797c

    SHA512

    628731c02a46fe7487bfc192ec8bf6ae2d575996235ab180270eafd7ee8a1f2106c3239d4c1039223bf46579e4e69d5c3a33e8bf7f930c243a26e2e8ac7edd9b

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3E49C8AE-863B-11EF-B9B6-4A034D48373C}.dat

    Filesize

    4KB

    MD5

    5f52706bb2f36ec0d097563692472e7c

    SHA1

    8545affe664f381b67f0b640ead2ac941286f8ae

    SHA256

    a3122bb995632cafd6440cc4339d7567a7d5c96b81a817a693a66a345972e381

    SHA512

    5a3f721bf3bdbad4c7c29cbd26edd89e1565dd9c9e021cfc370b8a2d38be4e95499fdc08182319c4375f5cc96507ffc1a52b943fa4a03a28c5585ab76eca6163

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9BF.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GRYMSCZU\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Temp\aut9164.tmp

    Filesize

    1.8MB

    MD5

    0b80274947513ef334429c0c666b3c53

    SHA1

    eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

    SHA256

    4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

    SHA512

    07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

  • C:\Users\Admin\AppData\Local\Temp\download.exe

    Filesize

    44KB

    MD5

    1e61219ddacbfc81d6459142ce054085

    SHA1

    230216b0deca51883c62c3735a11191c6fa94887

    SHA256

    f3deeafe0b5b9828c118f67d7f89f7da0d41b0189025998b28f6d63f51507774

    SHA512

    3ad181a849f7344094a0cdff71d54338318bd3440ff2c0bde6c1d158ca954b273b1f6388b54044b5d92d9cec7c8b3e260de94f0a5ac80136ba17d2bd2c5b960d

  • C:\Users\Admin\AppData\Local\Temp\is-HIDV7.tmp\hahagame.tmp

    Filesize

    682KB

    MD5

    d0699dfc3ff2c8980f167c7ab586dfcc

    SHA1

    c3f4aa0a542c01a0251782e48b313cbb7c5941a7

    SHA256

    52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

    SHA512

    ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

  • C:\Users\Admin\AppData\Local\Temp\todeletetif.bat

    Filesize

    95B

    MD5

    cd490fc0b8299edb479fe88c9245808a

    SHA1

    63ef98f15756c129ac1977864c845d90c427881b

    SHA256

    30baa4c3ad9a57399678728d9cfd8fb2456005b794e45df84383c115e357e0d6

    SHA512

    efd2077ad9b62ff946f9943d435c12a07e598a074026c0ba3e50db1f96aae6fa484d10c3048bd91855bbd7b7cf6c439082678709eec0d5a8012e4c3fca7faf38

  • C:\Users\Admin\Favorites\ÂÌÉ«µ¼º½.url

    Filesize

    192B

    MD5

    33a5aee5a69c397ad77983a0602a3ddf

    SHA1

    89e7d9644da6f1720a5f53309919275b112e2107

    SHA256

    24a22458397e71142c529c01146d5d3c46b75eac8f40dd7e3360436e909f00b6

    SHA512

    d5881679ab675f3f052f157e9a22d962cb2a0f9baa132b1c05689e7ea835541c19a7b207733891c08cf69cf9b9e8ceb9d5c8a5ffa7795dcba8229c0b07e4fb72

  • C:\game.exe

    Filesize

    111KB

    MD5

    38ce47aaacb8f1cb7169bda66f62298d

    SHA1

    8571d7e86810e0a17ae7d73c6ed4e7027a62359c

    SHA256

    d83e27fca97e80ed4842fa7a9b73fb63ba5cf0a1f959dd39a966398319c243c2

    SHA512

    83e44f4071cb983da68f4adb97db182a60f9347a8c8a5e6d339f5d78d4e53981f7bcdb57a49bf421ab8300a72b316a24b3e0b291f3f64384f8a71fc7b0496dca

  • C:\maxthon.exe

    Filesize

    159KB

    MD5

    7bce9c46da8425ef61167f87e69cb53f

    SHA1

    7eaebc37924cfd6f166549aaaf063985017cce62

    SHA256

    1ad7a77aae1cf61a4d72cb381310d6222b46d94707372a3a5dfe03923c2971a7

    SHA512

    8ac9315b32654d77f675931ff257cb631a1bca7b4b905b12f1e4490c6b053f96d4989740e5e9631de2f027df51871a8dca5d506d8ca0e3e1faa3060b2ae76783

  • memory/2568-56-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3512-38-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/3596-96-0x0000000000400000-0x00000000004B9000-memory.dmp

    Filesize

    740KB

  • memory/3596-82-0x0000000000400000-0x00000000004B9000-memory.dmp

    Filesize

    740KB

  • memory/4488-97-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/4488-81-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/4488-29-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

  • memory/4488-25-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB