Analysis Overview
SHA256
be57eb3e47948d5120d30baae0adb33c018fee294a8ab6adfe2a0cf30e558503
Threat Level: Shows suspicious behavior
The file 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Deletes itself
Executes dropped EXE
Adds Run key to start application
Indicator Removal: File Deletion
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 13:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 13:17
Reported
2024-10-30 13:19
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\QQupdateRe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\WINDOWS\QQupdateRe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "\\WINDOWS\\QQupdateRe.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\run.cmd | C:\WINDOWS\QQupdateRe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\QQupdateRe.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\QQupdateRe.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\QQ.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\QQupdateRe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe"
C:\WINDOWS\QQupdateRe.exe
C:\WINDOWS\QQupdateRe.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\windows\system32\run.cmd
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "\WINDOWS\QQupdateRe.exe" /f
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im QQ.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QQ.exe /t
Network
Files
memory/1732-4-0x0000000000400000-0x00000000004C6000-memory.dmp
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
| MD5 | 4b30dbe1a79b2b7572ff637cb3765ced |
| SHA1 | b08eba0e9bdb62d426db8d2b3d451152a56f79a1 |
| SHA256 | 4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d |
| SHA512 | 40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce |
memory/1732-12-0x00000000030F0000-0x00000000031B6000-memory.dmp
C:\WINDOWS\QQupdateRe.exe
| MD5 | 7f562b46ea41c407b19a1fb1b23a08df |
| SHA1 | 2fb363098a03d8e6e9c012593541f32814bfdc55 |
| SHA256 | be57eb3e47948d5120d30baae0adb33c018fee294a8ab6adfe2a0cf30e558503 |
| SHA512 | 916dcac887019de381d7c406af2c58ded6320b843742c990a9a80d269774aa8efda1fca6a19066093d2ec10a20cdbe8bb8a49b34ba3f0225e3c22f10c49686fb |
memory/1976-14-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1976-16-0x00000000002B0000-0x0000000000376000-memory.dmp
memory/1976-15-0x00000000002B0000-0x0000000000376000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne
| MD5 | a29510e1f407b73f6e649a3139dd86e7 |
| SHA1 | e53c5ad5205e8639f98d28d8aa407573fbd5d9ce |
| SHA256 | cf002b87a2bc481465cc977630eb7bffd8c65aaaf7a6f7d5b9ff880dc8b8e207 |
| SHA512 | b03b30923ef3073bacdece0301bafd31fc2481a0a122d480500d4282c5d068d9c55355820b1ffddca12aad33e7ace00dd7468f80870d4a781baa7c4ecba4c9d7 |
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne
| MD5 | 97d57d2e349f2afbe6c40baa679f6281 |
| SHA1 | e9ee8998a6cc9cbc109da0cf741d8803a3762a82 |
| SHA256 | 944fa12ee12b4c008f6ea52cfd6e4b7ce1719a419fb77a65fd0c432160ecc699 |
| SHA512 | fc3149e1b49680bbb8346769d8cc1c4cecb035636464686412cd0242d6eb52316b171f8b15fed218ebe7850c84a2d4a134dbdb3693c5c369863aabaed66b9d88 |
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
| MD5 | 3102c454a9543e58fe3ad5f783f5a690 |
| SHA1 | dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9 |
| SHA256 | 039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9 |
| SHA512 | 5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807 |
C:\Windows\SysWOW64\run.cmd
| MD5 | 013a7ab1545fe560eee053275aa7c057 |
| SHA1 | 34d7ad52a012fd5a4da000336893b4585b693fd0 |
| SHA256 | ef6aab9754b7b476cd27c88d68cf921cb55c968b15b48850214e8636d87ba9a7 |
| SHA512 | cf05589b62c11b855602f647e9d51daa7c93bdb288c2d699095d5d97c085a5e3b0e2639edf8c9a849313e86a8cedb82e60a98f8e48f08b156fe3731a90c34fb3 |
memory/1732-35-0x00000000002E0000-0x00000000002F5000-memory.dmp
memory/1732-37-0x0000000002020000-0x0000000002022000-memory.dmp
memory/2760-38-0x0000000000170000-0x0000000000172000-memory.dmp
memory/1732-43-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1732-41-0x0000000003870000-0x00000000038D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ͼƬ.jpg
| MD5 | 1f4dc0338f6565bc1289e44ae2bc6030 |
| SHA1 | a93b3c3280f7d5ee0e844ff52043296eb8d971d9 |
| SHA256 | 91fbf751b45cb69e4a13e32f4fc466227c8dc4e0bde56fe6f1f339b0ab9838e7 |
| SHA512 | f9f1eee17ed2446784bef4b1952c17033f7f3d297f1b9d7d7e415336e3b26f2b390255685dbf2084027068e796346c05aa959406232e955a36ec2a54881cd0a4 |
memory/1976-45-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1976-46-0x00000000002B0000-0x0000000000376000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 13:17
Reported
2024-10-30 13:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\QQupdateRe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\WINDOWS\QQupdateRe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "\\WINDOWS\\QQupdateRe.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\run.cmd | C:\WINDOWS\QQupdateRe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\QQupdateRe.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\QQupdateRe.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\QQ.exe | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\QQupdateRe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe"
C:\WINDOWS\QQupdateRe.exe
C:\WINDOWS\QQupdateRe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\windows\system32\run.cmd
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "\WINDOWS\QQupdateRe.exe" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im QQ.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del 7f562b46ea41c407b19a1fb1b23a08df_JaffaCakes118.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QQ.exe /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/1600-0-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
| MD5 | 4b30dbe1a79b2b7572ff637cb3765ced |
| SHA1 | b08eba0e9bdb62d426db8d2b3d451152a56f79a1 |
| SHA256 | 4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d |
| SHA512 | 40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce |
C:\Windows\QQupdateRe.exe
| MD5 | 7f562b46ea41c407b19a1fb1b23a08df |
| SHA1 | 2fb363098a03d8e6e9c012593541f32814bfdc55 |
| SHA256 | be57eb3e47948d5120d30baae0adb33c018fee294a8ab6adfe2a0cf30e558503 |
| SHA512 | 916dcac887019de381d7c406af2c58ded6320b843742c990a9a80d269774aa8efda1fca6a19066093d2ec10a20cdbe8bb8a49b34ba3f0225e3c22f10c49686fb |
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne
| MD5 | 97d57d2e349f2afbe6c40baa679f6281 |
| SHA1 | e9ee8998a6cc9cbc109da0cf741d8803a3762a82 |
| SHA256 | 944fa12ee12b4c008f6ea52cfd6e4b7ce1719a419fb77a65fd0c432160ecc699 |
| SHA512 | fc3149e1b49680bbb8346769d8cc1c4cecb035636464686412cd0242d6eb52316b171f8b15fed218ebe7850c84a2d4a134dbdb3693c5c369863aabaed66b9d88 |
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
| MD5 | 3102c454a9543e58fe3ad5f783f5a690 |
| SHA1 | dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9 |
| SHA256 | 039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9 |
| SHA512 | 5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807 |
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne
| MD5 | a29510e1f407b73f6e649a3139dd86e7 |
| SHA1 | e53c5ad5205e8639f98d28d8aa407573fbd5d9ce |
| SHA256 | cf002b87a2bc481465cc977630eb7bffd8c65aaaf7a6f7d5b9ff880dc8b8e207 |
| SHA512 | b03b30923ef3073bacdece0301bafd31fc2481a0a122d480500d4282c5d068d9c55355820b1ffddca12aad33e7ace00dd7468f80870d4a781baa7c4ecba4c9d7 |
memory/1600-27-0x00000000022A0000-0x00000000022B5000-memory.dmp
C:\windows\SysWOW64\run.cmd
| MD5 | 013a7ab1545fe560eee053275aa7c057 |
| SHA1 | 34d7ad52a012fd5a4da000336893b4585b693fd0 |
| SHA256 | ef6aab9754b7b476cd27c88d68cf921cb55c968b15b48850214e8636d87ba9a7 |
| SHA512 | cf05589b62c11b855602f647e9d51daa7c93bdb288c2d699095d5d97c085a5e3b0e2639edf8c9a849313e86a8cedb82e60a98f8e48f08b156fe3731a90c34fb3 |
memory/1600-32-0x0000000002BD0000-0x0000000002C33000-memory.dmp
memory/1600-34-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1860-35-0x0000000000400000-0x00000000004C6000-memory.dmp