Malware Analysis Report

2024-08-06 17:39

Sample ID 240523-cgx12aaa34
Target 6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118
SHA256 e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a
Tags
xpertrat kaffyvirus evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a

Threat Level: Known bad

The file 6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xpertrat kaffyvirus evasion persistence rat trojan

UAC bypass

Windows security bypass

XpertRAT

XpertRAT Core payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Windows security modification

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:03

Reported

2024-05-23 02:06

Platform

win7-20240508-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\frm_Roldan = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\frm_QANATS.vbs\"" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 836 set thread context of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 2988 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2904 set thread context of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 836 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 2116 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2116 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2116 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2116 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2988 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2988 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2988 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2988 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2660 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

Network

Country Destination Domain Proto
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp

Files

memory/836-3-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/836-5-0x0000000002A40000-0x0000000002B40000-memory.dmp

memory/836-7-0x0000000077201000-0x0000000077302000-memory.dmp

memory/836-6-0x00000000773F0000-0x00000000774C6000-memory.dmp

memory/836-8-0x0000000077200000-0x00000000773A9000-memory.dmp

C:\Windows\win.ini

MD5 d2a2412bddba16d60ec63bd9550d933f
SHA1 deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA256 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
SHA512 8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

memory/2116-16-0x0000000077200000-0x00000000773A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

MD5 72b518574405809b54d8e2d3a4283d50
SHA1 9429216ebd67da45ac4b9dbc24e5c47a24425e26
SHA256 4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e
SHA512 a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

memory/2904-39-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2520-44-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2904-51-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:03

Reported

2024-05-23 02:06

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frm_Roldan = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\frm_QANATS.vbs\"" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337 = "C:\\Users\\Admin\\AppData\\Roaming\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337\\B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3712 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 928 set thread context of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 4432 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 4432 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe
PID 4280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 4280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 4280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2900 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2900 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 2900 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 3712 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 928 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
LV 84.38.134.115:1234 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
LV 84.38.134.115:1234 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
LV 84.38.134.115:1234 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
LV 84.38.134.115:1234 tcp
LV 84.38.134.115:1234 tcp

Files

memory/4432-3-0x0000000000700000-0x0000000000800000-memory.dmp

memory/4432-5-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/4432-6-0x0000000077A61000-0x0000000077B81000-memory.dmp

C:\Windows\win.ini

MD5 6bf517432f65eb7f0d18d574bf14124c
SHA1 5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA256 6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA512 7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

memory/4280-14-0x0000000000560000-0x0000000000660000-memory.dmp

memory/4280-15-0x0000000002D20000-0x0000000002E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe

MD5 72b518574405809b54d8e2d3a4283d50
SHA1 9429216ebd67da45ac4b9dbc24e5c47a24425e26
SHA256 4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e
SHA512 a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

memory/928-37-0x0000000000400000-0x000000000042C000-memory.dmp

memory/928-39-0x0000000000400000-0x000000000042C000-memory.dmp

memory/5044-42-0x0000000000400000-0x0000000000443000-memory.dmp

memory/928-49-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4432-51-0x0000000077A61000-0x0000000077B81000-memory.dmp