Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 01:02

General

  • Target

    5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    5003c5673c08278f3d95eddd000a9864

  • SHA1

    5aae74fa3173d72bed756d77620cc2c57df2d20e

  • SHA256

    6b7adbf5d4477933d39c9c9c2cac7e67a0bed10882ed02fffc6f3316829a9903

  • SHA512

    2a2f19b5ad6a40d278f6399ce932067f61cbf5f567b2392217fe7cd88d08c2b2a3eb2159e09ca52cb11e7d3a251477bbce6a12487547e16fd02364d15b424239

  • SSDEEP

    98304:5yJk3T4OuYGaWU2FG98z3DbVEke/B02O60e:5y04OZRWU2FG+Bte5pOA

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 38 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 61 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5003c5673c08278f3d95eddd000a9864_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp" /SL5="$6021C,737659,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2300
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
        "C:\Program Files (x86)\HaoZip\HaoZipLoader.exe" -install01
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:2700
      • C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
        "C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe" -install
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2372

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\HaoZip\HaoZip.chm

          Filesize

          169KB

          MD5

          c111d2770455449f129128b88f2f5206

          SHA1

          8b51f7261ef355270b4a6e76eeb616af1e0447ea

          SHA256

          a283661a8652195db9c371579189c9359092e900b925393d265a4f5b232e118c

          SHA512

          e6acd7df4646d4e44d7bae560493b4132272907b6b12600807dfb8f1defc37ab9a177b7887f29d580eee841850987e8f681f24714f91b82ac6851531828e688c

        • C:\Program Files (x86)\HaoZip\HaoZip.exe

          Filesize

          1.8MB

          MD5

          97efade40e113454d7f51634e67a4c24

          SHA1

          b26372620aafea7208d462a2afe52f6ed1b5c55a

          SHA256

          c33464aa06906ad2f17f97f39b30d27552a62d1b93b7a84eef6b4d2d23bc8669

          SHA512

          6c15bf5d634183cc5fafa7e80ab3d3ab69b87be9c0ccc0dd40b1367695478264c5f57eacd8aaf87cdca88d204c7cce8a4546febdfcd27c264b581af9b82b98a7

        • C:\Program Files (x86)\HaoZip\HaoZipExt.dll

          Filesize

          172KB

          MD5

          52f02e82c21a85e7476ee6db6d76d786

          SHA1

          e7fbdbec5e735cfcbaa89e98d7bcab6ce73b0b0c

          SHA256

          8dcd8cba677436bd0dc3d44e8ba6ae7b75b15d602881d596b17690f7c4c0e2b6

          SHA512

          4d1c7d95610f21f36b9ffb1db3004f5e0fef48e89f3b22e50283da85510343d54e7efdfce8f218555d28efc429a734b0f064ac17d5b8c73d4734e1ca6ba42f70

        • C:\Program Files (x86)\HaoZip\HaoZipShell.dll

          Filesize

          115KB

          MD5

          e58565d563b57d23cabf53ab07dd1a48

          SHA1

          47875e0b3399eb6bbac4d6d8d7ee7dd449aa0b09

          SHA256

          ac0b28a399cec5081349cb1ab36b76cb7e0705a51ed14e4029b63ce7e63181b0

          SHA512

          69aa599a6e9830a2264abb34566181789eb6b3980f938c58d94f3da460765c854ce5e4c99b49aa4a2fa372e6360154839a391a9adc5ac31635315e16c4131c22

        • C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

          Filesize

          219KB

          MD5

          fc274b9bbccb119040b4c98d06dd2f94

          SHA1

          38ada3cdece1a3aa33167b51c4e5383fd34bc513

          SHA256

          dc37c5698510265763c654a89d06c0e37d0a603054a9d7a0281b3c819acd1d77

          SHA512

          20d455cf419ec5e89d9a51e20a65c28c19bc3641f821c76ab6a1e4a494195b24f462014852906a11f4719f4c64f0de717a1198ecc4c26ae740d243e56580114d

        • C:\Program Files (x86)\HaoZip\HaoZipVersion.dll

          Filesize

          8KB

          MD5

          d2fa876bdc048d986c6568c84a685f25

          SHA1

          cf04df82ac26d87b65b420c6b33e8e56c312d791

          SHA256

          68cf8ab20ea5ffe0f550c0b9dd3630ee450287c528345b213f25a2a1174deb97

          SHA512

          eac6e35218def092248cb7b2f3b1308e16497d66a20f0e158abc0ba45c01b882a100fc09ac629777bb7a2500a76c83a2e4eaa79a9c163c586a50913bee00a8f7

        • C:\Program Files (x86)\HaoZip\Uninstall.exe

          Filesize

          80KB

          MD5

          1baa91ee2d5ffbc0cd490413eabc2f11

          SHA1

          4f78183dd73428c805a82975c63072d29ba1f62e

          SHA256

          0c5ef5708d08d889e3fed130522c7476373357d627400fdb7082a4f16275abd8

          SHA512

          84eed54ce82aaa879b2a86b5a7c5648dfe834377c19017ba6b34829aa284641634af625a3bf75eaec41f7942136776ec1ddf55961e16920531339c53120b29ad

        • C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini

          Filesize

          37B

          MD5

          0e5d62bbebb35ca5bcac5a8563a799b2

          SHA1

          271ccec941e18321739d1794578586a149e6ccd2

          SHA256

          deac5c066a7d8d7a8af6c05dee5217e44fcbe34f6fafd9ea30390af5d6bb1537

          SHA512

          e1d4e982f6b8b2d0c089b58b2f25d644582bfd58b66892421f095db87884b9efedce7f5dfcfd9825e832f57228a6fc3d8e9dd797ae4414c3daf43dcdf97bfcf9

        • C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll

          Filesize

          334KB

          MD5

          04919aa4ecfa8aacbf1d6383ee4d92f0

          SHA1

          1b3e08b6dbd72bb11afe6475b0a9caa5b173f218

          SHA256

          6a8af8509fa93a42d5fe3eeb871f916e20f28f96a3c2aabcf9d8938366edf94d

          SHA512

          268a01f622f5105878da331fa93f64f1f43e7e1b099d49f10b7d631bf6d56f28c8d05e960b2551fb09f4f2a7edfc0ca5fa3facc2b432c863e72b5067d601cb73

        • C:\Users\Admin\AppData\Local\Temp\nst8307.tmp\FileInfo.dll

          Filesize

          46KB

          MD5

          25aa25fcec2065cdf81f77d2153a63a7

          SHA1

          e09b96d596323201ce5586daa16c9b8ecfaa7654

          SHA256

          ba62fc93cdd027de00af9cbaf31bf102d47fe9f1d74493ebf6faa2f2c9982435

          SHA512

          5de8b9ca1b38fba4f63756066d10a0312acafe9c051645fd192e500d1cff23a21845cec2d1fb1002ddf7002f9f6ae3962fd6087f3ab793d9630c33e35d6aba64

        • \Program Files (x86)\HaoZip\HaoZipLoader.exe

          Filesize

          48KB

          MD5

          a43c95953e8ae0cc14cdce57dfb0096b

          SHA1

          d721d9f34aefbcdf6e8cc59889d5ccc8e1997d0e

          SHA256

          9aceeeef173e48bdf2167756227e41b71a9dc04c7276105b36fd3607d32f342c

          SHA512

          87bd9181503fcdaef5191f3836f00b8f103d3280e81594cfaa224dc2824c54ec79241adf4750e6f8fbab0ff5c5048ac2cea6da6e3da6a6e2b68ab71e2f511658

        • \Users\Admin\AppData\Local\Temp\RarSFX0\Youbak_MSN_PARTNER2036.exe

          Filesize

          989KB

          MD5

          d88681c275fd71f42ccaee06e5901fc9

          SHA1

          3f051192a4ea9722d139cea2e7d7aef860880253

          SHA256

          980e63c8f1c312d3dda44b1fc79cc937357a36c585fcda7c51a433e36f1600a5

          SHA512

          f096de74e29554d8960803f272d5c8cd37304d5fcc55d54287d0bd24901c6bf6cf9ca0b33f4d3ee96cdce5fab50248abe9332e5eb47066eb32ee5102737d2d86

        • \Users\Admin\AppData\Local\Temp\RarSFX0\ha65.exe

          Filesize

          2.3MB

          MD5

          616285502f035c80681455288c513731

          SHA1

          4fd937ff5add37e10254c11a8f0809d6b7f23521

          SHA256

          49631d72bdd2902f98b080e4326b82380be234e1d01a8291dcc7431764e90281

          SHA512

          6d46800f925917af4d510604e544b9491c83a23ce98fb4a1d2bc6d2deefb7d7d052b75b1dd57cb232d4f4a036b013fdfe53d280926342053831b26fc549c34bb

        • \Users\Admin\AppData\Local\Temp\is-QA4IO.tmp\_isetup\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • \Users\Admin\AppData\Local\Temp\is-SPGBB.tmp\Youbak_MSN_PARTNER2036.tmp

          Filesize

          694KB

          MD5

          29bb632f057f068130e8a7877781a05d

          SHA1

          10060581eb95e61d6ac8176f692a2ae251149b32

          SHA256

          13065ec81bfdf70d1074f8fb90f6eaecae531b76e71ba1542f3cefc41a9e29c1

          SHA512

          0b66548ea8690d755566054f42a3886ac983f8402afd8ff27923f092a71c8404e16add8393d314ea056698f51ab0f3260c882c1447b35f73b1830458e70fd405

        • \Users\Admin\AppData\Local\Temp\nst8307.tmp\System.dll

          Filesize

          11KB

          MD5

          a82b0479708b96c7bf4dd6b798aedee0

          SHA1

          7e47b402848a86bdddd5f0de8bb4620471caaab0

          SHA256

          72410442a894b8316da6ad469f03997ec17c0b0d117745bb6ac5cac3232c7d20

          SHA512

          02e07def3897d87d546c0cf1492191591be587f64ae5c165b9a91fb977585c65a860135eb8c102b67dede913ea935459ce70c4ca973b292122c8d097ab130d58

        • memory/2016-32-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2016-14-0x0000000000401000-0x000000000040B000-memory.dmp

          Filesize

          40KB

        • memory/2016-12-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2284-77-0x0000000000300000-0x0000000000311000-memory.dmp

          Filesize

          68KB

        • memory/2300-31-0x0000000000400000-0x00000000004BD000-memory.dmp

          Filesize

          756KB

        • memory/2380-163-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/2700-93-0x00000000003D0000-0x00000000003F0000-memory.dmp

          Filesize

          128KB

        • memory/2700-96-0x0000000000420000-0x000000000044F000-memory.dmp

          Filesize

          188KB