Overview

overview

7

Static

static

3

69b9435033...18.exe

windows7-x64

7

69b9435033...18.exe

windows10-2004-x64

7

$1/QipInst...ff.exe

windows7-x64

1

$1/QipInst...ff.exe

windows10-2004-x64

1

$3/$APPDAT...er.exe

windows7-x64

7

$3/$APPDAT...er.exe

windows10-2004-x64

7

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$3/QIPApp.exe

windows7-x64

1

$3/QIPApp.exe

windows10-2004-x64

1

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$R1/Plugin...ng.dll

windows7-x64

1

$R1/Plugin...ng.dll

windows10-2004-x64

1

$R1/qip 8.0.exe

windows7-x64

1

$R1/qip 8.0.exe

windows10-2004-x64

1

$R1/unins000.exe

windows7-x64

7

$R1/unins000.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69b94350338b13014b0f6c4f51f70b6f_JaffaCakes118

  • Size

    2.4MB

  • Sample

    240523-e311xsdh65

  • MD5

    69b94350338b13014b0f6c4f51f70b6f

  • SHA1

    9590d21cb92ff8f4eaa4977dfa7d805d15421835

  • SHA256

    23d18b987ed4162ab5fc624da3416a637b0f4c7451ccb4224be449e27b316c71

  • SHA512

    71f80445403709e88e73a05f6981ec0ded669baa0059e0590023e7ef163de8d8218c7d5453c5f6c10e0d7dab1081f3b86bc939df5c1a5ad578d6990230732dc3

  • SSDEEP

    49152:nSRWYWPag7CEInZDeB4ZrsRX9DrscltmiyRcVTz33k9zNglsYQP:nSRWYWPVmy7RtrscltksTzkElgP

Score
7/10
discoverypersistence

Malware Config

Targets

    • Target

      69b94350338b13014b0f6c4f51f70b6f_JaffaCakes118

    • Size

      2.4MB

    • MD5

      69b94350338b13014b0f6c4f51f70b6f

    • SHA1

      9590d21cb92ff8f4eaa4977dfa7d805d15421835

    • SHA256

      23d18b987ed4162ab5fc624da3416a637b0f4c7451ccb4224be449e27b316c71

    • SHA512

      71f80445403709e88e73a05f6981ec0ded669baa0059e0590023e7ef163de8d8218c7d5453c5f6c10e0d7dab1081f3b86bc939df5c1a5ad578d6990230732dc3

    • SSDEEP

      49152:nSRWYWPag7CEInZDeB4ZrsRX9DrscltmiyRcVTz33k9zNglsYQP:nSRWYWPVmy7RtrscltksTzkElgP

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      $1/QipInstallerStuff.exe

    • Size

      158KB

    • MD5

      93097a86a7cbc02dc080fc1871ef7367

    • SHA1

      21eee8f427f268e52500eb8ddb0748b514dec2af

    • SHA256

      d2f17d052819082b55cc2a54947f9acd6756c0ef0427182fdc65b049cdd7bdbe

    • SHA512

      2b96822c8a14dbcf2582c4ac0e0b87f7d769afd37730808baf2e74c96d18786794ffe3ecc13ff73d0c3f805609c886de5bd8d1e5ed7625f1d6dd104dc632c3ce

    • SSDEEP

      3072:+ffDHDYydKV4fUymvQ3Ag0Fugg3cIGTgGTCGzpGLpGppVHks9k2:+zHcydKVhC3AOpcICg+C6pepspG8L

    Score
    1/10
    behavioral3behavioral4

    • Target

      $3/$APPDATA/QIPApp/uninstaller.exe

    • Size

      40KB

    • MD5

      833317595f14b577825dcbd67b865dfc

    • SHA1

      6e06fd1f73d71826b8f609cd04293762a60f0bea

    • SHA256

      1426647a213839e3b09778dabb8879eb2ff8881634b82a78c85017ff88d90e11

    • SHA512

      7289335c3332174e7a876f7bbc86f00e98bef044d96c70214ec08e38afb855935195762952bc67d579fc6c3e59546d4319d971a148e24dd67351a1a6ddceaa2c

    • SSDEEP

      768:UJKOdm9o29rJYypQJ2JQJXJuKU+duC1ZHQ0D3LHSGiVNuoJRn1Ut:kTdm9B9lYypfMXvugHQ0DbLiNuYI

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

    • SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

    • SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    • SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    • SSDEEP

      48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj

    Score
    3/10
    behavioral7behavioral8

    • Target

      $3/QIPApp.exe

    • Size

      329KB

    • MD5

      590e4a65a861ddaa20c091c256ee15a8

    • SHA1

      a9737174dfd1ae37399cdcae587f1bf63a7005a7

    • SHA256

      9f061df6a2cb2f488ecd844344e6ef5f4a7d2aec65368dd1871388babb38e906

    • SHA512

      ea2ef57c7d951e0d5d6e0e59002638823cae0614b16c7dff6ef25044ca643170277e28a3a1f7993e5e5785028c14b77bc02013733d969e12e1dfb29bb699d79d

    • SSDEEP

      6144:v/oJ3wyKrRVMPX+0Qq9q9q9q9rP4PxPCPUP4P4P4PQCZy94:vwJ3CNIm

    Score
    1/10
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

    • SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

    • SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    • SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    • SSDEEP

      48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj

    Score
    3/10
    behavioral11behavioral12

    • Target

      $R1/Plugins/docking.dll

    • Size

      60KB

    • MD5

      bf49f5ac4bcda179d3e2af86dd92ae7d

    • SHA1

      715ad84d9eaf7ef52bcf97d5477d3cdcd4f07965

    • SHA256

      cff686ad048c9d7db12113f2fcb0947ba03c0186cb6daefc1bdca9e2ea395e7f

    • SHA512

      d5f9c60272dfea4609f9cc3e00aea4b36c1df716af015b58e2b1f5124039fccd9b879dce8abca0954b4b86c8ed748ac698e9837faf7c1d621b1fbfe2f23e2da8

    • SSDEEP

      768:0O1uVg17CZCojegVKLxAwbITiXjugNgvLiws8U4n1p0L2D0DfOxCU:Nmm+ZCeVKLxfGiTu8gvLiwjU4kbDfOd

    Score
    1/10
    behavioral13behavioral14

    • Target

      $R1/qip 8.0.exe

    • Size

      3.2MB

    • MD5

      e0fb51ae556cb2c8d88a326705b2b602

    • SHA1

      30031d0ea12cf5aa34f2222fdc4be3a3a6205b7b

    • SHA256

      66a20bffe2e1e2fcbfddc8ee3a90418da636b833cbb7a075c743a18d54914437

    • SHA512

      59a9488ce451351c9ac407f67364b07a8992b4b9e9e6a97f1dcd4f0933d1693ad574fcb56192b4776c92de021c1d0dfd83e9d5c969eb1d6208a2b0ad4ea7a346

    • SSDEEP

      49152:KjjfdlGBAJIAAw0HAcQzTndgmZ1NGBbBIKgmAvlhhciTnLHwf2foam+:KPffGCJIAAPHAcQfRZ1NGRIhhgft+

    Score
    1/10
    behavioral15behavioral16

    • Target

      $R1/unins000.exe

    • Size

      705KB

    • MD5

      26ee6f06a21fbdf0de18cebd85853bbd

    • SHA1

      e64a373a4c928e3f84174f9d75a286e038d259ff

    • SHA256

      b916906a58e78b9b6c1a4672c12740549a81f57bc1b6bfe8ccef320013eaaa6e

    • SHA512

      599ec361109b861d5cf8e87e20161d050e5a69c5e31bef2ed01d1a6ad441fd69eb21df8ee433a9e07889abe1ffdbb41a8f48182e0ea51c16711c91d679859522

    • SSDEEP

      12288:MuA/arACiIrPe37lzH6A64EGYHuXsr5aER+gjrNAFR9FXsvy8duXEx9ZT:MN/arRiIrPe37lzH6A604cs1aEcdFXGJ

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks