4aae041842ee6cc5e35654ac47bd92f2a50871b5fa0b7cbcde3379dcc0bae439

General

Target

ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe
Size

298KB
MD5

ff79920aeb85abf9ef2a43d3c66fbbd9
SHA1

2a0d4adbb5ae613c39d805c58059cb5b36c90b58
SHA256

4aae041842ee6cc5e35654ac47bd92f2a50871b5fa0b7cbcde3379dcc0bae439
SHA512

4fff9e1d08254e24366821aca4d19019e37080753022ec48cd06e7750f544f24abb0bce5420f106610cfeaa9e022f6356ba7ed414b48f58213f271b21d8c72c8
SSDEEP

6144:/R2zP+yfL/mANMXA41RSNxknB6jMJP/uMJAgdLuRbs+AB:Qzbm4MXm9yGUAgdyRVS

Score

8^/10

aspackv2 persistence upx vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SETUP.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	SETUP.EXE

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\SETUP.EXE	aspack_v212_v242
\Windows\SysWOW64\414F04B4.tmp	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

QvodSetupPlus3.exeSETUP.EXE

pid process

2396 QvodSetupPlus3.exe
2236 SETUP.EXE
Loads dropped DLL 2 IoCs

Processes:

SETUP.EXESvchost.exe

pid process

2236 SETUP.EXE
2576 Svchost.exe

pid	process
2396	QvodSetupPlus3.exe
2236	SETUP.EXE

pid	process
2236	SETUP.EXE
2576	Svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\QvodSetupPlus3.exe	upx
behavioral1/memory/2396-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-45-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-46-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-47-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-48-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-50-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-52-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-53-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-55-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2396-58-0x0000000000400000-0x0000000000455000-memory.dmp	upx

VMProtect packed file 14 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2792-14-0x00000000028A0000-0x00000000028D4000-memory.dmp	vmprotect
C:\SETUP.EXE	vmprotect
behavioral1/memory/2236-18-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect
behavioral1/memory/2236-22-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect
behavioral1/memory/2236-21-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect
behavioral1/memory/2236-23-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect
behavioral1/memory/2236-24-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect
\Windows\SysWOW64\414F04B4.tmp	vmprotect
behavioral1/memory/2236-29-0x0000000075430000-0x0000000075490000-memory.dmp	vmprotect
behavioral1/memory/2576-37-0x0000000074F20000-0x0000000074F54000-memory.dmp	vmprotect
behavioral1/memory/2576-38-0x0000000074F20000-0x0000000074F54000-memory.dmp	vmprotect
behavioral1/memory/2576-40-0x0000000074F20000-0x0000000074F54000-memory.dmp	vmprotect
behavioral1/memory/2576-43-0x0000000074F20000-0x0000000074F54000-memory.dmp	vmprotect
behavioral1/memory/2236-42-0x0000000000360000-0x0000000000394000-memory.dmp	vmprotect

Drops file in System32 directory 4 IoCs

Processes:

SETUP.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\tapisrv.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\appmgmts.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\414F04B4.tmp	SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SETUP.EXE

pid process

2236 SETUP.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

QvodSetupPlus3.exe

pid process

2396 QvodSetupPlus3.exe
2396 QvodSetupPlus3.exe
2396 QvodSetupPlus3.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

QvodSetupPlus3.exe

pid process

2396 QvodSetupPlus3.exe
2396 QvodSetupPlus3.exe
2396 QvodSetupPlus3.exe

pid	process
2236	SETUP.EXE

pid	process
2396	QvodSetupPlus3.exe
2396	QvodSetupPlus3.exe
2396	QvodSetupPlus3.exe

pid	process
2396	QvodSetupPlus3.exe
2396	QvodSetupPlus3.exe
2396	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe

description	pid	process	target process
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2396	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 2792 wrote to memory of 2236	2792	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE

C:\Users\Admin\AppData\Local\Temp\ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\QvodSetupPlus3.exe
"C:\QvodSetupPlus3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\SETUP.EXE
"C:\SETUP.EXE"
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QvodSetupPlus3.exe
Filesize
175KB

MD5
fbaccb13d85578d7d8f01c3b09abf6e1

SHA1
a43ed3d60e1525e56c46b1bdc3652069180efc7c

SHA256
c2abe4872bd733300c76b04c3fc8974d84d21ddcea6bdc3e4473774363f488b8

SHA512
d3ecebeabcad1ca1a53341ab4764509917a82cde573c1db58d3039298d99cc0f22e805a0c73b7cac1d1a9da03b5ed18766fded1b9356242908843231d9351b83

Download Submit
C:\SETUP.EXE
Filesize
90KB

MD5
27433065053ccc774920423d55d58694

SHA1
64c594583c60170b495d5a6f68111aab275c54d5

SHA256
460c07bb418b2c224187de061333e64300215bc37ad59dfc3b61ddefc82c8bb3

SHA512
acf8353a7a56c24674ffbb4264c06ebd8d8d1f3bb92e00cd6ffdcd3ce7112558fd7d98e0d8f5038cb4107774dca3a58a338b6c952cc8bc8108f1c50568aad30b

Download Submit
C:\Users\Infortmp.txt
Filesize
980B

MD5
6e8e5fe4dd463a883a89fd978f20d710

SHA1
1636f66c2c9491447a38b4cc6b587cd1f1f207b1

SHA256
97abee70cfef26674edbc21d04be901e005396d2723dfbb4cf4aff77078ef481

SHA512
5b0d11d6ee26010818335f72fb6b0e1e25b2f0d218a4ca41ca6db353b5153713b6c9bf0d7f238bab79bd36012f7086e27162ed30a77f27fd6d0559ac1aae418a

Download Submit
\Windows\SysWOW64\414F04B4.tmp
Filesize
90KB

MD5
ed6e695d463a888627342a9e8e9d7702

SHA1
9cc5e56633d0b9b7c2168afbc78d7cf6f265e58a

SHA256
da761aebbdaf212a5e2168768bc805b4f7577733c54312cb2566b807ca4a0bec

SHA512
09420dcb848d666fb242d7f5d610c8150deef8be9533c26fdcecf491f933ac58c6751698cc85783dee071bc47c4bf34d3dbbc37034b7a198248b540dc28a9c15

Download Submit
memory/2236-29-0x0000000075430000-0x0000000075490000-memory.dmp

Filesize
384KB

Download
memory/2236-42-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2236-44-0x0000000075430000-0x0000000075490000-memory.dmp

Filesize
384KB

Download
memory/2236-18-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2236-20-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2236-22-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2236-21-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2236-23-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2236-24-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2396-46-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-50-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-58-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-53-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-52-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-15-0x0000000003DC0000-0x0000000003FC4000-memory.dmp

Filesize
2.0MB

Download
memory/2396-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-48-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-45-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-13-0x0000000000240000-0x0000000000295000-memory.dmp

Filesize
340KB

Download
memory/2396-47-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2576-43-0x0000000074F20000-0x0000000074F54000-memory.dmp

Filesize
208KB

Download
memory/2576-40-0x0000000074F20000-0x0000000074F54000-memory.dmp

Filesize
208KB

Download
memory/2576-38-0x0000000074F20000-0x0000000074F54000-memory.dmp

Filesize
208KB

Download
memory/2576-37-0x0000000074F20000-0x0000000074F54000-memory.dmp

Filesize
208KB

Download
memory/2792-14-0x00000000028A0000-0x00000000028D4000-memory.dmp

Filesize
208KB

Download
memory/2792-10-0x00000000028A0000-0x00000000028F5000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads