Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll
-
Size
484KB
-
MD5
1c6f459d6e5e2f0073bce58664d6c9ed
-
SHA1
b7c23db3ee48d62a5bbb56fa71ded2bd549087aa
-
SHA256
41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064
-
SHA512
d12fce1c711035de6042ba0d5a534d758db8df70883de99a0d7de5df2180602b408475482c126e37b5f20ef2b224cfc36dce3d6f4d09ae9cab9327d1fd860cdf
-
SSDEEP
6144:mbqzVbbUYjG8AClk8+U05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyunKo:EqxgYjG8ACv+zKhpsJZRXH52LMcg5n1
Malware Config
Extracted
qakbot
402.343
obama103
1632477754
136.232.34.70:443
216.201.162.158:443
92.59.35.196:2222
105.198.236.99:443
185.250.148.74:443
73.77.87.137:443
196.218.227.241:995
103.148.120.144:443
120.150.218.241:995
47.22.148.6:443
140.82.49.12:443
71.74.12.34:443
27.223.92.142:995
76.25.142.196:443
95.77.223.148:443
75.188.35.168:443
96.37.113.36:993
173.21.10.71:2222
45.46.53.140:2222
73.151.236.31:443
181.163.96.53:443
189.210.115.207:443
72.252.201.69:443
89.101.97.139:443
109.12.111.14:443
24.55.112.61:443
24.139.72.117:443
24.229.150.54:995
67.165.206.193:993
75.107.26.196:465
68.204.7.158:443
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
75.67.192.125:443
24.95.61.62:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Qakbot family
-
Windows security bypass 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cmbfjuohgxa = "0" reg.exe -
Loads dropped DLL 1 IoCs
pid Process 4676 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\15ba75c2 = 1941eacc1f0356eb5654575abd9755cecd8637a985c016abfda5d028144d2b7ff2708f9cf53329e439a3a6d3cdd97d57b4677cded52e310a79ce71cb8df292e55e45b435a2bdf5f5cb4523d8c14ecfcdf3f7eeb1388d33f3 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\9899c2e9 = 9cb3303ac1d9e45b623497910f1ef914ebae83534841ec5857722adfd92f0857ee0a12ebabad8ecb817e7691e77cf11d09b664c7ac3892a484347bf8e811d01f4261cae4a5b2ecdd2b4f6379ec8552f3d2191f41ee8ead9ee7ffa474e566c3d8266c7905f3 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf82194c6f69f752ccf0f2003dd0ed2d452c09e06cbb397e079f680ccdd11cb4e66f24cf9a65fa6cde5e0b87fbfaeb303a575a6d66581197d3999ddbd202010c66f48aaf4e18fed47a007173542a44758efed557ba112c84031e76262ab2861ede4fd41c753c7022aa47c1bc6f7febcca6e336d40e0e29 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf95194c6f5cbc7da34f892a04e956287b901025f7bbc10c21cee6a99bb246398cce1143a0907abd93d2b4cec6664375da66aad3c44bbc1c3173cf66e248ae45a887275b95e7507b9aea86faa57ccf3f722da00cf025f314bec5858387fadb403971 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d24f7d51 = 9bdd412edd324b4d0f788f05daf083dc7fc71716e4db4cb4825a1890f25255419f591805a3f1414f20562015193492376501a106b3ab62d26678548c911c3f6410d23335f703831d23f6123fbb82ff8de239193edd5cb71fadd3349eae2f035cccc913111d24f78654f94ab52b409c6f20bd9845f3a3ef7c391ea45fbb08c2346aa2048a9bd60c8913fa82cee2 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d00e5d2d = cc4e3998587baac05f681f395baae9c379b2b95d4afb1b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\68b23a48 = 50f252cd7bbe520ef94fe85e3a8ef999026b77236023e8ee33602ff42729ae09fccde68a49bc38f0e60e769eb30f53b8f06f7be2d514d3fd163d56c4252dd89fe68f7c132fdffdcae250618134ae22260af2f85161a4bb6e4f37a0efc877d871763a3c97 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\ad0612a7 = 528410d1d2256da8a30f5a36d7c3f0f3599229a91040032ae47cae1353fcf21801c7168ad64af8cf621b6c8e01378f2fb99d00a4e061f96b4dba352d358f5412e57f0440958e908f4846f721ce explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\6af31a34 = ffb73fe1a9da085808486fe2cdc0fc44156da10ea9069d5827c6eec7f88f4d4729970917031e6cbe7c88a3e8a7544fce2139e9add3c571909325a9d8 explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5076 rundll32.exe 5076 rundll32.exe 4676 regsvr32.exe 4676 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5076 rundll32.exe 4676 regsvr32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5196 wrote to memory of 5076 5196 rundll32.exe 84 PID 5196 wrote to memory of 5076 5196 rundll32.exe 84 PID 5196 wrote to memory of 5076 5196 rundll32.exe 84 PID 5076 wrote to memory of 4076 5076 rundll32.exe 92 PID 5076 wrote to memory of 4076 5076 rundll32.exe 92 PID 5076 wrote to memory of 4076 5076 rundll32.exe 92 PID 5076 wrote to memory of 4076 5076 rundll32.exe 92 PID 5076 wrote to memory of 4076 5076 rundll32.exe 92 PID 4076 wrote to memory of 3672 4076 explorer.exe 93 PID 4076 wrote to memory of 3672 4076 explorer.exe 93 PID 4076 wrote to memory of 3672 4076 explorer.exe 93 PID 1016 wrote to memory of 4676 1016 regsvr32.exe 98 PID 1016 wrote to memory of 4676 1016 regsvr32.exe 98 PID 1016 wrote to memory of 4676 1016 regsvr32.exe 98 PID 4676 wrote to memory of 4760 4676 regsvr32.exe 99 PID 4676 wrote to memory of 4760 4676 regsvr32.exe 99 PID 4676 wrote to memory of 4760 4676 regsvr32.exe 99 PID 4676 wrote to memory of 4760 4676 regsvr32.exe 99 PID 4676 wrote to memory of 4760 4676 regsvr32.exe 99 PID 4760 wrote to memory of 4816 4760 explorer.exe 100 PID 4760 wrote to memory of 4816 4760 explorer.exe 100 PID 4760 wrote to memory of 4800 4760 explorer.exe 102 PID 4760 wrote to memory of 4800 4760 explorer.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vztfvjm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll\"" /SC ONCE /Z /ST 17:30 /ET 17:424⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3672
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cmbfjuohgxa" /d "0"4⤵
- Windows security bypass
PID:4816
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi" /d "0"4⤵
- Windows security bypass
PID:4800
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD51c6f459d6e5e2f0073bce58664d6c9ed
SHA1b7c23db3ee48d62a5bbb56fa71ded2bd549087aa
SHA25641c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064
SHA512d12fce1c711035de6042ba0d5a534d758db8df70883de99a0d7de5df2180602b408475482c126e37b5f20ef2b224cfc36dce3d6f4d09ae9cab9327d1fd860cdf