Overview

overview

8

Static

static

5

JaffaCakes...db.exe

windows7-x64

8

JaffaCakes...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe

  • Size

    24KB

  • MD5

    98e3d2086ee5c43d9faf801af4a7cbdb

  • SHA1

    826fd0cee8ae48bf3ec914208fb7e49e773403d8

  • SHA256

    c475fed2f6ba0ac3c67cf84d39fe08956bd72be6857a6f5d047949c46119e44c

  • SHA512

    10bcd7590cec8f1a7f92fa9bd0f0008813aa77ba66c662013b046af5ab4d74a2ea58dc4dc51ba87a8078bfd5620d43d50c2e4e5a06a443aa9f4671cc9dcab155

  • SSDEEP

    384:Pp6CE6rdOhM0qufXwxZsN/YYj5BTMkUMpM1dUr2RqTwleANiW8T/7cE4:hbdOhM0TfgjsRYmNMuwRRqTxNrP

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 1.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Program Files\WLmhzx\gameclien.exe
        "C:\Program Files\WLmhzx\gameclien.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\WINDOWS\system32\mhzxin.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\SysWOW64\regedit.exe
            regedit.exe /s mhzx.reg
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\WLmhzx\gameclien.exe
    Filesize

    24KB

    MD5

    98e3d2086ee5c43d9faf801af4a7cbdb

    SHA1

    826fd0cee8ae48bf3ec914208fb7e49e773403d8

    SHA256

    c475fed2f6ba0ac3c67cf84d39fe08956bd72be6857a6f5d047949c46119e44c

    SHA512

    10bcd7590cec8f1a7f92fa9bd0f0008813aa77ba66c662013b046af5ab4d74a2ea58dc4dc51ba87a8078bfd5620d43d50c2e4e5a06a443aa9f4671cc9dcab155

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.bat
    Filesize

    192B

    MD5

    0c018c557a2f3e38ba6f8abd7a6ab654

    SHA1

    29f8a3d566ca63eef56e34b1da883c662ec15b63

    SHA256

    443ede70b2034e790afa0fd6f57d3ee115a3e6ea94e52223a67ad3d4532f31e9

    SHA512

    dc723214ad4497ac3b0588e46fdef409516bdde28a1a447f3668892433eb500ffb6dc0e46e8573c055962f1f733a53ef69be7153a6fe6d07d3fa123b0892aa0a

    Download Submit

  • C:\Windows\SysWOW64\mhzx.reg
    Filesize

    312B

    MD5

    f0e79459e4b4ffcc8cb8b3e718fac9ff

    SHA1

    723bc34d7fad62fc56920d77f0a58fabe57ce049

    SHA256

    5c665746ab27624fa6b072e04aec98c0ffd8d78bdfa1efd67eeff92dce8dcb66

    SHA512

    f8e394b54f0bb81be13db5b07543bb21372b461ee02499fb58f60b8216f6b24b8ad27381f7a494e67e7c4c31d285dfdfbb5cb89b604819351626e3a05c36d2ad

    Download Submit

  • C:\Windows\SysWOW64\mhzxin.bat
    Filesize

    23B

    MD5

    40ad273cddf8d446a6970e58e36c861e

    SHA1

    0096494c0a50ee9404e151ba9b0f22d14bbc2a30

    SHA256

    061b674b67a39109110ee8ff1b00e16e722edc6e6a16e6cb3183091015ec4e97

    SHA512

    6aee175080408d992fc16ab260631696757670f0525dd56ae54994b08e63a6858d496a70241a84ea859d7a05ceab5acadea3880926af7052c7652755bdb03edf

    Download Submit

  • C:\Windows\SysWOW64\sougou.ime
    Filesize

    36KB

    MD5

    b246f8da3f34c2b59e1ba8f147c7001b

    SHA1

    4294f29b4a2dcc4561dad6209f3ffa0a00b22e41

    SHA256

    cf93ff1f3a924712706fd9e9539a1be1ec173121ef5a8d9aad8489fb8acf7786

    SHA512

    b8535b431413dbbd22182d69fdef3bb42e0105eb7938eef066be995848a061c27d57e8086523e9335237d723ee34fe41f76787d2effd105885122b6f7feba250

    Download Submit

  • memory/2192-38-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2596-10-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2596-0-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2924-16-0x00000000002F0000-0x0000000000305000-memory.dmp

    Filesize

    84KB

    Download