Analysis Overview
SHA256
41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064
Threat Level: Known bad
The file JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed was found to be: Known bad.
Malicious Activity Summary
Qakbot family
Windows security bypass
Qakbot/Qbot
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:28
Reported
2025-07-04 17:31
Platform
win10v2004-20250502-en
Max time kernel
147s
Max time network
139s
Command Line
Signatures
Qakbot family
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cmbfjuohgxa = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\15ba75c2 = 1941eacc1f0356eb5654575abd9755cecd8637a985c016abfda5d028144d2b7ff2708f9cf53329e439a3a6d3cdd97d57b4677cded52e310a79ce71cb8df292e55e45b435a2bdf5f5cb4523d8c14ecfcdf3f7eeb1388d33f3 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\9899c2e9 = 9cb3303ac1d9e45b623497910f1ef914ebae83534841ec5857722adfd92f0857ee0a12ebabad8ecb817e7691e77cf11d09b664c7ac3892a484347bf8e811d01f4261cae4a5b2ecdd2b4f6379ec8552f3d2191f41ee8ead9ee7ffa474e566c3d8266c7905f3 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf82194c6f69f752ccf0f2003dd0ed2d452c09e06cbb397e079f680ccdd11cb4e66f24cf9a65fa6cde5e0b87fbfaeb303a575a6d66581197d3999ddbd202010c66f48aaf4e18fed47a007173542a44758efed557ba112c84031e76262ab2861ede4fd41c753c7022aa47c1bc6f7febcca6e336d40e0e29 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\e7d0ad1f = 6acf95194c6f5cbc7da34f892a04e956287b901025f7bbc10c21cee6a99bb246398cce1143a0907abd93d2b4cec6664375da66aad3c44bbc1c3173cf66e248ae45a887275b95e7507b9aea86faa57ccf3f722da00cf025f314bec5858387fadb403971 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d24f7d51 = 9bdd412edd324b4d0f788f05daf083dc7fc71716e4db4cb4825a1890f25255419f591805a3f1414f20562015193492376501a106b3ab62d26678548c911c3f6410d23335f703831d23f6123fbb82ff8de239193edd5cb71fadd3349eae2f035cccc913111d24f78654f94ab52b409c6f20bd9845f3a3ef7c391ea45fbb08c2346aa2048a9bd60c8913fa82cee2 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\d00e5d2d = cc4e3998587baac05f681f395baae9c379b2b95d4afb1b | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\68b23a48 = 50f252cd7bbe520ef94fe85e3a8ef999026b77236023e8ee33602ff42729ae09fccde68a49bc38f0e60e769eb30f53b8f06f7be2d514d3fd163d56c4252dd89fe68f7c132fdffdcae250618134ae22260af2f85161a4bb6e4f37a0efc877d871763a3c97 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\ad0612a7 = 528410d1d2256da8a30f5a36d7c3f0f3599229a91040032ae47cae1353fcf21801c7168ad64af8cf621b6c8e01378f2fb99d00a4e061f96b4dba352d358f5412e57f0440958e908f4846f721ce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mncikczukqwq\6af31a34 = ffb73fe1a9da085808486fe2cdc0fc44156da10ea9069d5827c6eec7f88f4d4729970917031e6cbe7c88a3e8a7544fce2139e9add3c571909325a9d8 | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vztfvjm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll\"" /SC ONCE /Z /ST 17:30 /ET 17:42
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cmbfjuohgxa" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Diopuqvi" /d "0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5076-0-0x0000000010000000-0x0000000010119000-memory.dmp
memory/5076-1-0x0000000010077000-0x000000001007D000-memory.dmp
memory/5076-2-0x0000000010000000-0x0000000010119000-memory.dmp
memory/5076-3-0x0000000010000000-0x0000000010119000-memory.dmp
memory/4076-5-0x0000000001200000-0x0000000001221000-memory.dmp
memory/5076-6-0x0000000010000000-0x0000000010119000-memory.dmp
memory/4076-9-0x0000000001200000-0x0000000001221000-memory.dmp
memory/4076-11-0x0000000001200000-0x0000000001221000-memory.dmp
memory/4076-10-0x0000000001200000-0x0000000001221000-memory.dmp
memory/4076-13-0x0000000001200000-0x0000000001221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c6f459d6e5e2f0073bce58664d6c9ed.dll
| MD5 | 1c6f459d6e5e2f0073bce58664d6c9ed |
| SHA1 | b7c23db3ee48d62a5bbb56fa71ded2bd549087aa |
| SHA256 | 41c15c115abe0077efa9e009ac4336aa57233134e14c3ad5d30d414c6e058064 |
| SHA512 | d12fce1c711035de6042ba0d5a534d758db8df70883de99a0d7de5df2180602b408475482c126e37b5f20ef2b224cfc36dce3d6f4d09ae9cab9327d1fd860cdf |
memory/4676-17-0x0000000010000000-0x0000000010119000-memory.dmp
memory/4676-18-0x0000000010000000-0x0000000010119000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4676-21-0x0000000010000000-0x0000000010119000-memory.dmp
memory/4760-23-0x0000000000D80000-0x0000000000DA1000-memory.dmp
memory/4760-24-0x0000000000D80000-0x0000000000DA1000-memory.dmp
memory/4760-25-0x0000000000D80000-0x0000000000DA1000-memory.dmp