4aae041842ee6cc5e35654ac47bd92f2a50871b5fa0b7cbcde3379dcc0bae439

General

Target

ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe
Size

298KB
MD5

ff79920aeb85abf9ef2a43d3c66fbbd9
SHA1

2a0d4adbb5ae613c39d805c58059cb5b36c90b58
SHA256

4aae041842ee6cc5e35654ac47bd92f2a50871b5fa0b7cbcde3379dcc0bae439
SHA512

4fff9e1d08254e24366821aca4d19019e37080753022ec48cd06e7750f544f24abb0bce5420f106610cfeaa9e022f6356ba7ed414b48f58213f271b21d8c72c8
SSDEEP

6144:/R2zP+yfL/mANMXA41RSNxknB6jMJP/uMJAgdLuRbs+AB:Qzbm4MXm9yGUAgdyRVS

Score

8^/10

aspackv2 persistence upx vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SETUP.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	SETUP.EXE

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\SETUP.EXE	aspack_v212_v242
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

QvodSetupPlus3.exeSETUP.EXE

pid process

3704 QvodSetupPlus3.exe
3180 SETUP.EXE
Loads dropped DLL 1 IoCs

Processes:

Svchost.exe

pid process

2740 Svchost.exe

pid	process
3704	QvodSetupPlus3.exe
3180	SETUP.EXE

pid	process
2740	Svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\QvodSetupPlus3.exe	upx
behavioral2/memory/3704-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-35-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-48-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-50-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-52-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-53-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-55-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-57-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-58-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3704-60-0x0000000000400000-0x0000000000455000-memory.dmp	upx

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\SETUP.EXE	vmprotect
behavioral2/memory/3180-22-0x0000000000170000-0x00000000001A4000-memory.dmp	vmprotect
behavioral2/memory/3180-24-0x0000000000170000-0x00000000001A4000-memory.dmp	vmprotect
behavioral2/memory/3180-23-0x0000000000170000-0x00000000001A4000-memory.dmp	vmprotect
behavioral2/memory/3180-25-0x0000000000170000-0x00000000001A4000-memory.dmp	vmprotect
behavioral2/memory/3180-36-0x0000000000170000-0x00000000001A4000-memory.dmp	vmprotect
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	vmprotect
behavioral2/memory/2740-41-0x0000000075220000-0x0000000075254000-memory.dmp	vmprotect
behavioral2/memory/2740-43-0x0000000075220000-0x0000000075254000-memory.dmp	vmprotect
behavioral2/memory/2740-42-0x0000000075220000-0x0000000075254000-memory.dmp	vmprotect
behavioral2/memory/2740-45-0x0000000075220000-0x0000000075254000-memory.dmp	vmprotect

Drops file in System32 directory 6 IoCs

Processes:

SETUP.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\tapisrv.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\qmgr.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\appmgmts.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\5CEB0DDC.tmp	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\netman.dll	SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SETUP.EXE

pid process

3180 SETUP.EXE
3180 SETUP.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

QvodSetupPlus3.exe

pid process

3704 QvodSetupPlus3.exe
3704 QvodSetupPlus3.exe
3704 QvodSetupPlus3.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

QvodSetupPlus3.exe

pid process

3704 QvodSetupPlus3.exe
3704 QvodSetupPlus3.exe
3704 QvodSetupPlus3.exe

pid	process
3180	SETUP.EXE
3180	SETUP.EXE

pid	process
3704	QvodSetupPlus3.exe
3704	QvodSetupPlus3.exe
3704	QvodSetupPlus3.exe

pid	process
3704	QvodSetupPlus3.exe
3704	QvodSetupPlus3.exe
3704	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe

description	pid	process	target process
PID 4780 wrote to memory of 3704	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 4780 wrote to memory of 3704	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 4780 wrote to memory of 3704	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	QvodSetupPlus3.exe
PID 4780 wrote to memory of 3180	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 4780 wrote to memory of 3180	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE
PID 4780 wrote to memory of 3180	4780	ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe	SETUP.EXE

C:\Users\Admin\AppData\Local\Temp\ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff79920aeb85abf9ef2a43d3c66fbbd9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780

C:\QvodSetupPlus3.exe
"C:\QvodSetupPlus3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3704

C:\SETUP.EXE
"C:\SETUP.EXE"
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4324

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QvodSetupPlus3.exe
Filesize
175KB

MD5
fbaccb13d85578d7d8f01c3b09abf6e1

SHA1
a43ed3d60e1525e56c46b1bdc3652069180efc7c

SHA256
c2abe4872bd733300c76b04c3fc8974d84d21ddcea6bdc3e4473774363f488b8

SHA512
d3ecebeabcad1ca1a53341ab4764509917a82cde573c1db58d3039298d99cc0f22e805a0c73b7cac1d1a9da03b5ed18766fded1b9356242908843231d9351b83

Download Submit
C:\SETUP.EXE
Filesize
90KB

MD5
27433065053ccc774920423d55d58694

SHA1
64c594583c60170b495d5a6f68111aab275c54d5

SHA256
460c07bb418b2c224187de061333e64300215bc37ad59dfc3b61ddefc82c8bb3

SHA512
acf8353a7a56c24674ffbb4264c06ebd8d8d1f3bb92e00cd6ffdcd3ce7112558fd7d98e0d8f5038cb4107774dca3a58a338b6c952cc8bc8108f1c50568aad30b

Download Submit
C:\Users\Infortmp.txt
Filesize
980B

MD5
3fe98ad658f4a74a3566379cd00cce19

SHA1
9745634e3bb3de689c5d6440c60325846d4e1fab

SHA256
97824101b6b3fd949a01aef6edb354bb67659db6ffe6d0ccd6695bf9d6538818

SHA512
3dcf5110d2925a38e9987ac923fbf90abf8c35ba4cebc0e95d32b811bc3095124e3b33f7f3e93300b4121a726ac0a4088282b4e30723cade0657dd95e1e7c1cc

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
90KB

MD5
ed6e695d463a888627342a9e8e9d7702

SHA1
9cc5e56633d0b9b7c2168afbc78d7cf6f265e58a

SHA256
da761aebbdaf212a5e2168768bc805b4f7577733c54312cb2566b807ca4a0bec

SHA512
09420dcb848d666fb242d7f5d610c8150deef8be9533c26fdcecf491f933ac58c6751698cc85783dee071bc47c4bf34d3dbbc37034b7a198248b540dc28a9c15

Download Submit
memory/2740-45-0x0000000075220000-0x0000000075254000-memory.dmp

Filesize
208KB

Download
memory/2740-42-0x0000000075220000-0x0000000075254000-memory.dmp

Filesize
208KB

Download
memory/2740-43-0x0000000075220000-0x0000000075254000-memory.dmp

Filesize
208KB

Download
memory/2740-41-0x0000000075220000-0x0000000075254000-memory.dmp

Filesize
208KB

Download
memory/3180-29-0x0000000077CE2000-0x0000000077CE3000-memory.dmp

Filesize
4KB

Download
memory/3180-22-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/3180-32-0x0000000076070000-0x0000000076095000-memory.dmp

Filesize
148KB

Download
memory/3180-47-0x0000000076070000-0x0000000076095000-memory.dmp

Filesize
148KB

Download
memory/3180-36-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/3180-30-0x0000000077CE2000-0x0000000077CE3000-memory.dmp

Filesize
4KB

Download
memory/3180-25-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/3180-23-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/3180-24-0x0000000000170000-0x00000000001A4000-memory.dmp

Filesize
208KB

Download
memory/3180-31-0x0000000077CE3000-0x0000000077CE4000-memory.dmp

Filesize
4KB

Download
memory/3704-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-35-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-48-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-50-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-52-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-53-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-57-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-58-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3704-60-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads