Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 13:17
Static task
static1
Behavioral task
behavioral1
Sample
7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
7f562b46ea41c407b19a1fb1b23a08df
-
SHA1
2fb363098a03d8e6e9c012593541f32814bfdc55
-
SHA256
be57eb3e47948d5120d30baae0adb33c018fee294a8ab6adfe2a0cf30e558503
-
SHA512
916dcac887019de381d7c406af2c58ded6320b843742c990a9a80d269774aa8efda1fca6a19066093d2ec10a20cdbe8bb8a49b34ba3f0225e3c22f10c49686fb
-
SSDEEP
24576:ghKGlYw7/XtSeR9OYEA687NEQgSdH6ZM5ZKGMjjy2vv0xsz3UXx4RUBViGP:ghKGd7/XtSeR9OMb+Qx6djjFmcEh4R6f
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1976 QQupdateRe.exe -
Loads dropped DLL 4 IoCs
pid Process 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1976 QQupdateRe.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "\\WINDOWS\\QQupdateRe.exe" reg.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\run.cmd QQupdateRe.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\QQupdateRe.exe 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe File opened for modification C:\WINDOWS\QQupdateRe.exe 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe File created C:\WINDOWS\QQ.exe 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQupdateRe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Kills process with taskkill 1 IoCs
pid Process 2908 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2760 DllHost.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 1976 QQupdateRe.exe 2760 DllHost.exe 2760 DllHost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1976 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 30 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1976 wrote to memory of 1984 1976 QQupdateRe.exe 31 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1984 wrote to memory of 2880 1984 cmd.exe 33 PID 1732 wrote to memory of 2640 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 35 PID 1732 wrote to memory of 2640 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 35 PID 1732 wrote to memory of 2640 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 35 PID 1732 wrote to memory of 2640 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 35 PID 1732 wrote to memory of 2632 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 36 PID 1732 wrote to memory of 2632 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 36 PID 1732 wrote to memory of 2632 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 36 PID 1732 wrote to memory of 2632 1732 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe 36 PID 2640 wrote to memory of 2908 2640 cmd.exe 39 PID 2640 wrote to memory of 2908 2640 cmd.exe 39 PID 2640 wrote to memory of 2908 2640 cmd.exe 39 PID 2640 wrote to memory of 2908 2640 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\WINDOWS\QQupdateRe.exeC:\WINDOWS\QQupdateRe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\cmd.execmd /c C:\windows\system32\run.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "\WINDOWS\QQupdateRe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im QQ.exe /t2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QQ.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5a29510e1f407b73f6e649a3139dd86e7
SHA1e53c5ad5205e8639f98d28d8aa407573fbd5d9ce
SHA256cf002b87a2bc481465cc977630eb7bffd8c65aaaf7a6f7d5b9ff880dc8b8e207
SHA512b03b30923ef3073bacdece0301bafd31fc2481a0a122d480500d4282c5d068d9c55355820b1ffddca12aad33e7ace00dd7468f80870d4a781baa7c4ecba4c9d7
-
Filesize
332KB
MD53102c454a9543e58fe3ad5f783f5a690
SHA1dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9
SHA256039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9
SHA5125b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807
-
Filesize
60KB
MD597d57d2e349f2afbe6c40baa679f6281
SHA1e9ee8998a6cc9cbc109da0cf741d8803a3762a82
SHA256944fa12ee12b4c008f6ea52cfd6e4b7ce1719a419fb77a65fd0c432160ecc699
SHA512fc3149e1b49680bbb8346769d8cc1c4cecb035636464686412cd0242d6eb52316b171f8b15fed218ebe7850c84a2d4a134dbdb3693c5c369863aabaed66b9d88
-
Filesize
307KB
MD51f4dc0338f6565bc1289e44ae2bc6030
SHA1a93b3c3280f7d5ee0e844ff52043296eb8d971d9
SHA25691fbf751b45cb69e4a13e32f4fc466227c8dc4e0bde56fe6f1f339b0ab9838e7
SHA512f9f1eee17ed2446784bef4b1952c17033f7f3d297f1b9d7d7e415336e3b26f2b390255685dbf2084027068e796346c05aa959406232e955a36ec2a54881cd0a4
-
Filesize
1.5MB
MD57f562b46ea41c407b19a1fb1b23a08df
SHA12fb363098a03d8e6e9c012593541f32814bfdc55
SHA256be57eb3e47948d5120d30baae0adb33c018fee294a8ab6adfe2a0cf30e558503
SHA512916dcac887019de381d7c406af2c58ded6320b843742c990a9a80d269774aa8efda1fca6a19066093d2ec10a20cdbe8bb8a49b34ba3f0225e3c22f10c49686fb
-
Filesize
157B
MD5013a7ab1545fe560eee053275aa7c057
SHA134d7ad52a012fd5a4da000336893b4585b693fd0
SHA256ef6aab9754b7b476cd27c88d68cf921cb55c968b15b48850214e8636d87ba9a7
SHA512cf05589b62c11b855602f647e9d51daa7c93bdb288c2d699095d5d97c085a5e3b0e2639edf8c9a849313e86a8cedb82e60a98f8e48f08b156fe3731a90c34fb3
-
Filesize
1.0MB
MD54b30dbe1a79b2b7572ff637cb3765ced
SHA1b08eba0e9bdb62d426db8d2b3d451152a56f79a1
SHA2564208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d
SHA51240e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce