Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 17:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll
Resource
win7-20250207-en
windows7-x64
12 signatures
150 seconds
General
-
Target
JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll
-
Size
78KB
-
MD5
8ae2da00f8788ccb24c788c63f557304
-
SHA1
15f6cc2760226f2cb06aabb312fbaa8f3b24ced3
-
SHA256
53e749d3a8e05369d191e58382574c47a7ee5a61ae016230ad60c7fb8b7b2520
-
SHA512
98c5f820d8ac6f09388c5d2c2750307597554b5497be90b536dd090e522b23dbdf5ff19cadcbf784bc8f2c125badbe378e88c0347af86acff6fc89afa8fbf854
-
SSDEEP
1536:j4nQuutahYTG+JQXpY+dyUdMMZ6G3m3zTaG3KM:jwQuutahmQW+dyUF3mXacKM
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2724 F44TGMYMDK.EXE 1844 MendicantMendicant.exe 2648 MendicantMendicant.exe -
Loads dropped DLL 6 IoCs
pid Process 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 1844 MendicantMendicant.exe 2648 MendicantMendicant.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F44TGMYMDK.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification \??\f:\$recycle.bin\s-1-5-21-677481364-2238709445-1347953534-1000\desktop.ini MendicantMendicant.exe File opened for modification \??\f:\$recycle.bin\s-1-5-21-677481364-2238709445-1347953534-1000\desktop.ini MendicantMendicant.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\DisburseForfeiture\DisburseFeline.exe MendicantMendicant.exe File created C:\Program Files\AdvisorySpeleology\ScoreFumes.exe MendicantMendicant.exe File opened for modification C:\Program Files\AdvisorySpeleology\ScoreFumes.exe MendicantMendicant.exe File created C:\Program Files\DisburseForfeiture\DisburseFeline.exe MendicantMendicant.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\RVWVLYCAVB.dll F44TGMYMDK.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F44TGMYMDK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MendicantMendicant.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MendicantMendicant.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\ = "Thunder 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Windows\\RVWVLYCAVB.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1" regsvr32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 2724 F44TGMYMDK.EXE 1844 MendicantMendicant.exe 1844 MendicantMendicant.exe 2648 MendicantMendicant.exe 2648 MendicantMendicant.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 3028 wrote to memory of 2216 3028 regsvr32.exe 31 PID 2216 wrote to memory of 2724 2216 regsvr32.exe 32 PID 2216 wrote to memory of 2724 2216 regsvr32.exe 32 PID 2216 wrote to memory of 2724 2216 regsvr32.exe 32 PID 2216 wrote to memory of 2724 2216 regsvr32.exe 32 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 2740 2724 F44TGMYMDK.EXE 33 PID 2724 wrote to memory of 1844 2724 F44TGMYMDK.EXE 34 PID 2724 wrote to memory of 1844 2724 F44TGMYMDK.EXE 34 PID 2724 wrote to memory of 1844 2724 F44TGMYMDK.EXE 34 PID 2724 wrote to memory of 1844 2724 F44TGMYMDK.EXE 34 PID 2724 wrote to memory of 2648 2724 F44TGMYMDK.EXE 35 PID 2724 wrote to memory of 2648 2724 F44TGMYMDK.EXE 35 PID 2724 wrote to memory of 2648 2724 F44TGMYMDK.EXE 35 PID 2724 wrote to memory of 2648 2724 F44TGMYMDK.EXE 35
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ae2da00f8788ccb24c788c63f557304.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\F44TGMYMDK.EXE"C:\F44TGMYMDK.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\RVWVLYCAVB.dll"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\MendicantMendicant.exe"C:\Users\Admin\AppData\Local\Temp\MendicantMendicant.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\MendicantMendicant.exeC:\Users\Admin\AppData\Local\Temp\MendicantMendicant.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5a098457d5ef689d34a878d0359eb999c
SHA1f119b0f08c9e6bd16c6065eb464aa7c3163a8e0a
SHA2561fe11499f2d52b374b68e85cdb04d8779c8aec6fede58925286a907d13ba4be7
SHA51222bf5d8de1e2fd27cfbba592a7ce50473dbdba87d92b4a41de645e7f0a3175a25dbf5ba0ec8f22e3ac6a29245c42a54b9cd7fd11d47331634edaa3d64ff487d3
-
Filesize
78KB
MD58ae2da00f8788ccb24c788c63f557304
SHA115f6cc2760226f2cb06aabb312fbaa8f3b24ced3
SHA25653e749d3a8e05369d191e58382574c47a7ee5a61ae016230ad60c7fb8b7b2520
SHA51298c5f820d8ac6f09388c5d2c2750307597554b5497be90b536dd090e522b23dbdf5ff19cadcbf784bc8f2c125badbe378e88c0347af86acff6fc89afa8fbf854
-
Filesize
28KB
MD5927476200feeb6160af47839940f10cc
SHA177dbd1d864d608a59fe5be14c10df1682de40486
SHA2567f3bcfae359fce0e86d1f0b8881d204b3f4bea37b993c06d8a42d3771d92c2da
SHA51242e9c462242865567d1b5429d45b561535c1fd732ba62ef1c773e8f446663adb5cf81bf27c3dee16458f1e56397911ba0d1b54db372f619f536e2161c1121c9f