a6eade40d178183a1119a3ef17c47fb2877efd9390e49076906c6b348c137232

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe
Size

3.0MB
MD5

3859f2ffd142b834cc60e510494be7bf
SHA1

24f3372136c25beff4959464bf97412c2f2b9031
SHA256

a6eade40d178183a1119a3ef17c47fb2877efd9390e49076906c6b348c137232
SHA512

b762dedb616cfb00bcecef8b2c149f4677e32383af9228975c00f77c3b5e9a91b69c5c367303b7fd9041eb6b459c2d330466c60813bdfdc442551909084850fa
SSDEEP

49152:SgCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/l+:HCPSpED/ppLh3ScE4X0ypED/pq

Score

7^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2524	jiedian.exe
2344	irsetup.exe
1988	lasse.exe
2920	DragonBox.exe

Loads dropped DLL 15 IoCs

pid	Process
2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe
2524	jiedian.exe
2524	jiedian.exe
2524	jiedian.exe
2524	jiedian.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2920	DragonBox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DragonBox = "C:\\Program Files (x86)\\DragonBox\\DragonBox.exe -autorun"	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DragonBox.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\doload.text	lasse.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000173f3-10.dat	upx
behavioral1/memory/2524-13-0x0000000002670000-0x00000000027F1000-memory.dmp	upx
behavioral1/memory/2344-148-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DragonBox\uninstall.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uniBD85.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\resdata.db-journal	DragonBox.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\resdata.db	DragonBox.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uniBD85.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG2.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\skins\PixOS.ssk	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiedian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonBox.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	DragonBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	DragonBox.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	DragonBox.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2920	DragonBox.exe
2920	DragonBox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2920	DragonBox.exe
2920	DragonBox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe
2344	irsetup.exe
2344	irsetup.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe
2920	DragonBox.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2524	2960	3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2524 wrote to memory of 2344	2524	jiedian.exe	31
PID 2344 wrote to memory of 2920	2344	irsetup.exe	36
PID 2344 wrote to memory of 2920	2344	irsetup.exe	36
PID 2344 wrote to memory of 2920	2344	irsetup.exe	36
PID 2344 wrote to memory of 2920	2344	irsetup.exe	36

C:\Users\Admin\AppData\Local\Temp\3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3859f2ffd142b834cc60e510494be7bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\jiedian.exe
  "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-1488793075-819845221-1497111674-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Program Files (x86)\DragonBox\DragonBox.exe
      "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2920

C:\ProgramData\Megic\lasse.exe
C:\ProgramData\Megic\lasse.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

Filesize
1.3MB

MD5
73edb6d203e0230b2ab4e4da57dd6bee

SHA1
4a71903b57abd639425394340d1a6067da760f0a

SHA256
a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

SHA512
2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
a911142b6fd39a11dc09b3ae25f60148

SHA1
b8d1d80b7167f4a1f503e0d19f1ba58f8729c7ab

SHA256
03b25749756b5ce02945618f8acf60c564cb88b89b08abfd2ccef4a8720f3698

SHA512
eea68ef77057aad8731601106235183005f07c63dc8ad464169c912dc65e086df72b079e010a08ed79cc1812aff2ed0468359e2368024bd24190865e3bcb7643

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
10KB

MD5
7c77ad831723c30bef151d7d163b2cd5

SHA1
e164183557a1022dc8870ca30b5d32061a3e33e7

SHA256
99d79e6b69ba770a7a8bb1f422d26024b1bc4bddb5c4cf451d7d78a311a8418f

SHA512
5ba105be0486dd348b4669f6c9de871c6caa84a80a011643f55ff55f5cb72f59da320c868d6c5fd2babb038ed18fb06457b4688bbfd6b1c60377af41386fe339

Download Submit
C:\Program Files (x86)\DragonBox\gametypebak.json

Filesize
21KB

MD5
242aec89243b0957523287ae5d18b9b8

SHA1
9d54d2b8bf3d52d927fd89b172621d496b5f83e6

SHA256
e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

SHA512
a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
042bc14b5ec4a59244ac348812dc2e8a

SHA1
7adb7489f0971dfedf5fd7928bde722245c1f3f9

SHA256
20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

SHA512
4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
0c8197485fc42ac984d0984cb90e641c

SHA1
e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

SHA256
3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

SHA512
15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

Download Submit
C:\Program Files (x86)\DragonBox\version.ini

Filesize
53B

MD5
1b38736d6e54c9b3b78807bbca68f348

SHA1
0cc44962449b1f54e1d2f606584ce513dc088cf6

SHA256
013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

SHA512
32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

Download Submit
C:\ProgramData\Megic\lasse.exe

Filesize
248KB

MD5
ecf79310b8a51b2a472689619d42a42c

SHA1
36e328fccda8f2f3d926e472d968072a9c732c0f

SHA256
6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

SHA512
321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\DragonBox.exe

Filesize
1.5MB

MD5
cbb2db2566dde5e2b9c6a636471ffa23

SHA1
38704738c646a9afa729cefd31ca0c8f28a9f54c

SHA256
4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

SHA512
572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\jiedian.exe

Filesize
2.9MB

MD5
1641766934172d4ef320103147ba77f3

SHA1
8562b7fb3cad46e555bcfacfc14ad2924971955e

SHA256
dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

SHA512
ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

Download Submit
memory/2344-130-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2344-148-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2524-22-0x0000000002670000-0x00000000027F1000-memory.dmp

Filesize
1.5MB

Download
memory/2524-13-0x0000000002670000-0x00000000027F1000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads