Overview
overview
7Static
static
35052cf2d1f...18.exe
windows7-x64
75052cf2d1f...18.exe
windows10-2004-x64
7$_2_/Downl...PS.dll
windows7-x64
3$_2_/Downl...PS.dll
windows10-2004-x64
3$_2_/Extract.dll
windows7-x64
3$_2_/Extract.dll
windows10-2004-x64
3$_2_/MiniQQDL.exe
windows7-x64
7$_2_/MiniQQDL.exe
windows10-2004-x64
7$_2_/TNProxy.dll
windows7-x64
3$_2_/TNProxy.dll
windows10-2004-x64
3$_2_/Tencentdl.exe
windows7-x64
3$_2_/Tencentdl.exe
windows10-2004-x64
3$_2_/dlcore.dll
windows7-x64
3$_2_/dlcore.dll
windows10-2004-x64
3$_2_/predown.dll
windows7-x64
3$_2_/predown.dll
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$_2_/DownloadProxyPS.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$_2_/DownloadProxyPS.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$_2_/Extract.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$_2_/Extract.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$_2_/MiniQQDL.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$_2_/MiniQQDL.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$_2_/TNProxy.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$_2_/TNProxy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$_2_/Tencentdl.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$_2_/Tencentdl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$_2_/dlcore.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$_2_/dlcore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$_2_/predown.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$_2_/predown.dll
Resource
win10v2004-20241007-en
General
-
Target
$_2_/TNProxy.dll
-
Size
377KB
-
MD5
858fc685a5bff591985394f9cdf9e289
-
SHA1
5970a28aab399d005885b9c6b79eafd606640fab
-
SHA256
3404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
-
SHA512
620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0
-
SSDEEP
6144:H9u5ec95CL2ADz5izTNe/rCkMyELlc5VZ7ciL3QSGV0G/34r:NczXTNe/rCdVLlMNcW3Q3E
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30 PID 3048 wrote to memory of 2396 3048 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll2⤵
- System Location Discovery: System Language Discovery
PID:2396
-