b34a8059ccfb8afde153b3bf8795809a760f1756e8227672c79b1a82b270952c

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 04:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe
Size

3.0MB
MD5

2a79d784829c4e2727bf41e9054f9612
SHA1

afa55d114e6bf18f55bdcb08c92232b08f971416
SHA256

b34a8059ccfb8afde153b3bf8795809a760f1756e8227672c79b1a82b270952c
SHA512

a3c3989421d7ef7bf45defc0a917f56370169b81eccaf1ca8772358f90a74e3cb5f2ca3734a31142d5fb5d0675fc539f2cd68148a621ffd4d90ef0ed6bc6cfe4
SSDEEP

49152:ygCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lS:nCPSpED/ppLh3ScE4X0ypED/p2

Score

7^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2540	jiedian.exe
2764	irsetup.exe
2176	lasse.exe
2184	DragonBox.exe

Loads dropped DLL 15 IoCs

pid	Process
1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe
2540	jiedian.exe
2540	jiedian.exe
2540	jiedian.exe
2540	jiedian.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2764	irsetup.exe
2184	DragonBox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DragonBox = "C:\\Program Files (x86)\\DragonBox\\DragonBox.exe -autorun"	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DragonBox.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\doload.text	lasse.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\inst.ini	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\selfUpdate.exe	lasse.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\update.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\spsrv.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\update.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\spsrv.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpfomr.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\update.exe	lasse.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019401-10.dat	upx
behavioral1/memory/2540-13-0x0000000002BF0000-0x0000000002D71000-memory.dmp	upx
behavioral1/memory/2764-24-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/memory/2764-123-0x00000000003F0000-0x0000000000400000-memory.dmp	upx
behavioral1/memory/2764-149-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uniC9E.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uniC9E.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\resdata.db-journal	DragonBox.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\skins\PixOS.ssk	DragonBox.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\uninstall.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG2.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\resdata.db	DragonBox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiedian.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	DragonBox.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	lasse.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2184	DragonBox.exe
2184	DragonBox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2184	DragonBox.exe
2184	DragonBox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe
2764	irsetup.exe
2764	irsetup.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe
2184	DragonBox.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2540	1596	2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2540 wrote to memory of 2764	2540	jiedian.exe	31
PID 2764 wrote to memory of 2184	2764	irsetup.exe	34
PID 2764 wrote to memory of 2184	2764	irsetup.exe	34
PID 2764 wrote to memory of 2184	2764	irsetup.exe	34
PID 2764 wrote to memory of 2184	2764	irsetup.exe	34

C:\Users\Admin\AppData\Local\Temp\2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a79d784829c4e2727bf41e9054f9612_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\jiedian.exe
  "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-3290804112-2823094203-3137964600-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\DragonBox\DragonBox.exe
      "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2184

C:\ProgramData\Megic\lasse.exe
C:\ProgramData\Megic\lasse.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

Filesize
1.3MB

MD5
73edb6d203e0230b2ab4e4da57dd6bee

SHA1
4a71903b57abd639425394340d1a6067da760f0a

SHA256
a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

SHA512
2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
efde21a13903f361a7173ab3bf4d3432

SHA1
bab730f893c2c4a3c9bde80bb8bed4b0868492df

SHA256
ae5f7b585e3578bb1b54c5c5fab8655da6f8abe6086a1a5c28d6a84a11c2a136

SHA512
8022f415bcbce1b94faf35dbffc65587c7c4154eaf0525c08b992eea2244fd80c2a62b0dc4cafccf38cef4392c0aea6969a8da283c9154969981d8f2d9f7b6ce

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
6995801cfb8b644e2a4ed35fce80ac85

SHA1
41d18d775e6abde28ae2639ce1739970d42c100e

SHA256
b17401a194f2b8af5064909c504d8de0b3d23b8bdaf26cb0eb02d80055b4fc78

SHA512
ea05d249ae18af7dfbe21b27c94c6bb4f027327d635a842e82e803dc7886f99c7d631f1cb00961208651e7da67c26a6e90b579c7ee561389b3519d6d012b03d9

Download Submit
C:\Program Files (x86)\DragonBox\gametypebak.json

Filesize
21KB

MD5
242aec89243b0957523287ae5d18b9b8

SHA1
9d54d2b8bf3d52d927fd89b172621d496b5f83e6

SHA256
e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

SHA512
a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
042bc14b5ec4a59244ac348812dc2e8a

SHA1
7adb7489f0971dfedf5fd7928bde722245c1f3f9

SHA256
20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

SHA512
4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
0c8197485fc42ac984d0984cb90e641c

SHA1
e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

SHA256
3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

SHA512
15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

Download Submit
C:\Program Files (x86)\DragonBox\version.ini

Filesize
53B

MD5
1b38736d6e54c9b3b78807bbca68f348

SHA1
0cc44962449b1f54e1d2f606584ce513dc088cf6

SHA256
013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

SHA512
32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

Download Submit
C:\ProgramData\Megic\lasse.exe

Filesize
248KB

MD5
ecf79310b8a51b2a472689619d42a42c

SHA1
36e328fccda8f2f3d926e472d968072a9c732c0f

SHA256
6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

SHA512
321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\DragonBox.exe

Filesize
1.5MB

MD5
cbb2db2566dde5e2b9c6a636471ffa23

SHA1
38704738c646a9afa729cefd31ca0c8f28a9f54c

SHA256
4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

SHA512
572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\jiedian.exe

Filesize
2.9MB

MD5
1641766934172d4ef320103147ba77f3

SHA1
8562b7fb3cad46e555bcfacfc14ad2924971955e

SHA256
dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

SHA512
ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

Download Submit
memory/2540-22-0x0000000002BF0000-0x0000000002D71000-memory.dmp

Filesize
1.5MB

Download
memory/2540-13-0x0000000002BF0000-0x0000000002D71000-memory.dmp

Filesize
1.5MB

Download
memory/2764-123-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2764-24-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2764-149-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download