aeefdd9253151905bc051e071d29cbca18c5ed4531c949b6c12698f051894303

General

Target

03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
Size

256KB
MD5

03bacf112cb9cbabc9a5d807aaebcf8e
SHA1

4d812070e43a4312636b7f39f87e1b6a0fc299c3
SHA256

aeefdd9253151905bc051e071d29cbca18c5ed4531c949b6c12698f051894303
SHA512

dbc1e5848ab80d1d9f24d1bf180e0793ff0bf9649f84e4e30d29020fc1bfaf6200040107ea4e1441b9e8cec16662d3ac5e39ced235b13e450f987b6129f6a814
SSDEEP

6144:GZ86/lKv0HDYrkJd2y2PIGpB0ljmHfasED19+mVRUX1q2o:lyF2wqojm3ED1noq2o

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zhqbs080412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zhqb_df = "rundll32.exe C:\\Windows\\system\\zhqbdf080412.dll zhqb16"	zhqbs080412.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
968	attrib.exe
4152	attrib.exe
4032	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	rundll32.exe

Deletes itself 1 IoCs

pid	Process
5040	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	zhqbs080412.exe

Loads dropped DLL 2 IoCs

pid	Process
5040	rundll32.exe
5040	rundll32.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\zhqbdf080412.dll	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
File opened for modification	C:\Windows\system\zhqbs080412.exe	attrib.exe
File created	C:\Windows\system\zhqbs080412.exe	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
File created	C:\Windows\system\zhqbdf080412.dll	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
File opened for modification	C:\Windows\system\zhqb32.dll	zhqbs080412.exe
File created	C:\Windows\system\zhqb32.dll	zhqbs080412.exe
File opened for modification	C:\Windows\system\zhqb32.dll	attrib.exe
File opened for modification	C:\Windows\system\zhqbs080412.exe	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
File opened for modification	C:\Windows\system\zhqbdf080412.dll	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zhqbs080412.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{455086DF-2ED0-11EF-BCA5-EABD73F69B33} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425027631"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe
1220	zhqbs080412.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
Token: SeDebugPrivilege	1220	zhqbs080412.exe
Token: SeDebugPrivilege	1220	zhqbs080412.exe
Token: SeDebugPrivilege	1220	zhqbs080412.exe
Token: SeDebugPrivilege	1220	zhqbs080412.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2184	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2184	iexplore.exe
2184	iexplore.exe
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4032	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	85
PID 640 wrote to memory of 4032	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	85
PID 640 wrote to memory of 4032	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	85
PID 640 wrote to memory of 968	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	87
PID 640 wrote to memory of 968	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	87
PID 640 wrote to memory of 968	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	87
PID 640 wrote to memory of 5040	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	88
PID 640 wrote to memory of 5040	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	88
PID 640 wrote to memory of 5040	640	03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe	88
PID 5040 wrote to memory of 4964	5040	rundll32.exe	90
PID 5040 wrote to memory of 4964	5040	rundll32.exe	90
PID 5040 wrote to memory of 4964	5040	rundll32.exe	90
PID 4964 wrote to memory of 1220	4964	cmd.exe	92
PID 4964 wrote to memory of 1220	4964	cmd.exe	92
PID 4964 wrote to memory of 1220	4964	cmd.exe	92
PID 1220 wrote to memory of 4152	1220	zhqbs080412.exe	93
PID 1220 wrote to memory of 4152	1220	zhqbs080412.exe	93
PID 1220 wrote to memory of 4152	1220	zhqbs080412.exe	93
PID 1220 wrote to memory of 2184	1220	zhqbs080412.exe	95
PID 1220 wrote to memory of 2184	1220	zhqbs080412.exe	95
PID 2184 wrote to memory of 4820	2184	iexplore.exe	96
PID 2184 wrote to memory of 4820	2184	iexplore.exe	96
PID 2184 wrote to memory of 4820	2184	iexplore.exe	96
PID 1220 wrote to memory of 2184	1220	zhqbs080412.exe	95

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4032	attrib.exe
968	attrib.exe
4152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03bacf112cb9cbabc9a5d807aaebcf8e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system\zhqbs080412.exe"
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:4032
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system\zhqbdf080412.dll"
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system\zhqbdf080412.dll zhqb16
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\zhqbdf.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system\zhqbs080412.exe
      "C:\Windows\system\zhqbs080412.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system\zhqb32.dll"
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:4152
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\zhqbdf16.ini

Filesize
159B

MD5
62d8cb9c034940513cf59a57ec47c11d

SHA1
e5567adaae89c0ed156d7888fa024147b8c5ec62

SHA256
c2fc3185334832ab5a383c6f708993111aa8d0cdd544c9bd220c9e54a1e5352f

SHA512
857177953c70141b1861c4812bbe581bdf86ed8097ac784ef5c51e32d4770f11f12082b156d5fd7dece61532f30c8d1d7743062382a7740d58cd8ec9ca9ddb62

Download Submit
C:\Documents and Settings\All Users\zhqbdf16.ini

Filesize
258B

MD5
ea055648a8f9c52875ab4a826ac9bd5b

SHA1
36d75006866af3f2d93f57929a8fd3ab10320222

SHA256
7e0f280c584271050136119eba7c3f7d416b34e137ad076aae1030fb7c507783

SHA512
f82fad6cb9b8d7844feb69a5f2870c5984b8cd3e26d63871931c23b46380a7166a9aea26d7b0993eb76b52d22bad05a83a43580c1a9e1b21f91b510eca3fb9de

Download Submit
C:\Documents and Settings\All Users\zhqbdf16.ini

Filesize
211B

MD5
3826705efa74409b171d563f42be7630

SHA1
3ac4960754381f3b7872dc1d1463efd5fe599293

SHA256
19bdd94a810772ec235be22ecf4bc17f4799d62eead6d7fa3766c07db3a5363c

SHA512
04a6bb49179c4d89be5f2c05e25735e727b806b849b28e8630e9dd129308a25c96dd584889ee278bdb663ef4ea817d7afc32071d9c501e6268a50ebcfa8bfd57

Download Submit
C:\ProgramData\zhqbdf16.ini

Filesize
96B

MD5
1a8a2ab4b194ef3ebb42c5cd6ed3ebe0

SHA1
cbf68209d7970677ac4c6e81c997bc57db710576

SHA256
204509340bf1f9b27a6d65f338a5238b0eafd7a71400d132111e349dfd6a2b9a

SHA512
52ec00a67d657706b888f85383410219a41b342649b5d078a18885500e818ac638359b76281810fcc0b9c10fe13aa5b5f2689374e3f6a6c6b1d925da160f4bec

Download Submit
C:\Windows\system\zhqb32.dll

Filesize
499KB

MD5
0f0f8dac85b407c7ad674b2f01089179

SHA1
d4e9bd469f16dd97118f3d948cd1f18e9fc6f05a

SHA256
568396cbadf3dea36cd050105232adda38627a20d25424f4784c39603d9bff1d

SHA512
a5aa737b014cad8aa77b75f7fe4cc75ae7a6bd081292da6d6bf88c9489ca71da705ee374f77647fc768618ba5e494e257124a839d559ca2e3113d00fe064da91

Download Submit
C:\Windows\system\zhqbdf080412.dll

Filesize
94KB

MD5
8802eae85499e8ac70db79e3a3b72e6e

SHA1
32ec518a7a856fa944f6c81fe258cbb349c85e36

SHA256
3b7ae0fbf40074e6630a9dd4367ea644386f15da242ace0c319ba2ed96e002b0

SHA512
474ccb8112142bbae35a89f6c2a5d10e0c624effe42c5e1d3b75389bbea95387b14498abdec109f15fdbd6e85958d8e5d1f1f753c9795b7936b943f76cc4e8a2

Download Submit
C:\Windows\system\zhqbs080412.exe

Filesize
256KB

MD5
03bacf112cb9cbabc9a5d807aaebcf8e

SHA1
4d812070e43a4312636b7f39f87e1b6a0fc299c3

SHA256
aeefdd9253151905bc051e071d29cbca18c5ed4531c949b6c12698f051894303

SHA512
dbc1e5848ab80d1d9f24d1bf180e0793ff0bf9649f84e4e30d29020fc1bfaf6200040107ea4e1441b9e8cec16662d3ac5e39ced235b13e450f987b6129f6a814

Download Submit
\??\c:\zhqbdf.bat

Filesize
47B

MD5
54348cb450f3ec5405808f92eb1936b3

SHA1
323bd7c51769fea7ce201bdf0945ff6700caf291

SHA256
c3acdba09ad877e99a7170c4dd0fc8dbe21da5d288ff1b99d79ce63a4ba4ae68

SHA512
3e96f60541a19262792a623f8e99621d2623b463b5041046c5f49174ee4fa257a5c8aa6390e5c9ce6b71a01c1bbf1707bbd887d1a55ac2bfe6491399d72f78bb

Download Submit
memory/5040-19-0x00000000012A0000-0x00000000012BD000-memory.dmp

Filesize
116KB

Download
memory/5040-41-0x00000000012A0000-0x00000000012BD000-memory.dmp

Filesize
116KB

Download
memory/5040-45-0x00000000012A0000-0x00000000012BD000-memory.dmp

Filesize
116KB

Download
memory/5040-46-0x00000000012A0000-0x00000000012BD000-memory.dmp

Filesize
116KB

Download
memory/5040-52-0x00000000012A0000-0x00000000012BD000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads