31768bf721a2b5ec5292b793a610b8461e954326d3a9671d8118aad83e1e233c

General

Target

330960c1f80b677909224705496a4f45_JaffaCakes118.exe
Size

398KB
MD5

330960c1f80b677909224705496a4f45
SHA1

49f430d851cf8d498544743458eb77c5475a4f0d
SHA256

31768bf721a2b5ec5292b793a610b8461e954326d3a9671d8118aad83e1e233c
SHA512

8e00f93c367a453ba4a35fe23ad9497311c91887bebcc7863ec34d39223591a6e613d1e857323207ae9afd7459fc102b09076bafa5ca40f14c9758b229547d54
SSDEEP

6144:ossLUguFTPiPbQvwd64Mi3mZSwweCU+gKOCx6EhaZEtYLLbewAekW3C:o1LRuFu2UMSmZker+gKJx0ZKY6w

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\msqmx.sys	g3.exe
File created	C:\Windows\SysWOW64\drivers\msqmx.sys	g3.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Hardware\Parameters\ServiceDll = "C:\\Windows\\system32\\ddboy.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\msqmx\ImagePath = "system32\\drivers\\msqmx.sys"	g3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	330960c1f80b677909224705496a4f45_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4392	rundll2000.exe
4796	rundll2000.exe
3216	RUNDLL2000.EXE
960	f2.exe
1720	g3.exe
2176	update.exe

Loads dropped DLL 4 IoCs

pid	Process
4392	rundll2000.exe
4796	rundll2000.exe
3216	RUNDLL2000.EXE
3156	rundll32.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\advport.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rundll2000.exe	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ocmor.dll	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\advport.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddboy.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ddboy.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\ocmor.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\fgcxt.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Score.txt	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\wbem\fgcxt.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\ocmor.dll	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\rundll2000.exe	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ocmor.dll	330960c1f80b677909224705496a4f45_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\f2.exe	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\g3.exe	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
File created	C:\Windows\update.exe	330960c1f80b677909224705496a4f45_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "http://www.3839.com/index.html"	330960c1f80b677909224705496a4f45_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	g3.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.kzdh.com/"	g3.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	RUNDLL2000.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4392	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	81
PID 1600 wrote to memory of 4392	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	81
PID 1600 wrote to memory of 4392	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	81
PID 1600 wrote to memory of 4796	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	86
PID 1600 wrote to memory of 4796	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	86
PID 1600 wrote to memory of 4796	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	86
PID 1600 wrote to memory of 3156	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	88
PID 1600 wrote to memory of 3156	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	88
PID 1600 wrote to memory of 3156	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	88
PID 1600 wrote to memory of 960	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	89
PID 1600 wrote to memory of 960	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	89
PID 1600 wrote to memory of 960	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	89
PID 1600 wrote to memory of 1720	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	90
PID 1600 wrote to memory of 1720	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	90
PID 1600 wrote to memory of 1720	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	90
PID 1600 wrote to memory of 2176	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	91
PID 1600 wrote to memory of 2176	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	91
PID 1600 wrote to memory of 2176	1600	330960c1f80b677909224705496a4f45_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\330960c1f80b677909224705496a4f45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\330960c1f80b677909224705496a4f45_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\fgcxt.dll",Export @install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4392
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\fgcxt.dll",Export @start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4796
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ddboy.dll",ExportFunc 1001
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  PID:3156
- C:\Windows\f2.exe
  "C:\Windows\f2.exe"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\g3.exe
  "C:\Windows\g3.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1720
- C:\Windows\update.exe
  "C:\Windows\update.exe"
  2⤵
  - Executes dropped EXE
  PID:2176

C:\WINDOWS\SysWOW64\RUNDLL2000.EXE
C:\WINDOWS\SysWOW64\RUNDLL2000.EXE C:\WINDOWS\SYSTEM32\WBEM\FGCXT.DLL,Export 1087
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\WBEM\ocmor.dll

Filesize
6KB

MD5
2c9c3948edbbdb7015054eda23d1cca0

SHA1
14a6aa1d75dfdfc2fd213545f150c034b0f7286f

SHA256
b75790e97df65e074970d9347148d60860328b91c6e0be08deacdc204b076fea

SHA512
75c70cb432107b43e20f6df8dc9484deb60d0a4dd2bf7182686a56bc533aaf44862015f40a62d867224502a5a505611b4d90b5638cf86721fcca378098fa9e9b

Download Submit
C:\Windows\SysWOW64\ddboy.dll

Filesize
238KB

MD5
9c3970c3267ae3d661d2738d15783453

SHA1
d462ec4294b462982a676cd4711f3b3199ef315b

SHA256
a8dc38b506e0a5fe7f8a324659edbd65c586111732fe379333a617162dd60a8d

SHA512
d7b72bf08c91302ed0ba44068f9f6cada495b4e7a38b802162c65174ecfde38d9144e81fd133ce70520e5db06b845bc9283f7eb98f66901cdb5f341c52cadd82

Download Submit
C:\Windows\SysWOW64\rundll2000.exe

Filesize
10KB

MD5
4936a6954ed59700a3c706f9094685ee

SHA1
124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

SHA256
e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

SHA512
1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

Download Submit
C:\Windows\SysWOW64\wbem\fgcxt.dll

Filesize
240KB

MD5
abbe23918f44967e57e44c5cc2ea1baa

SHA1
b83c3427b8d5061177e54153586d6b9730947e85

SHA256
59eb96cd179faebd6a7ae576d66b701f41e7f726db94e20f8bf76603be4ec28a

SHA512
b174d0fb6c097d7b25b128ede5c7c49af92cb30441db6aa3ea1c04d0a718ca2d130c8dfba5068a2ba58092e7915fe819761be4536c332e8afde80333a83fde27

Download Submit
C:\Windows\f2.exe

Filesize
64KB

MD5
1d07f65b736701e027d1822b2b37f8e2

SHA1
1bd7fc6fbbac67f4747c468db585669f947aaf20

SHA256
1e52fc324af675c4cdf42af8e01ea50b6afb5c064ec5f61386a617c2a1d2b91f

SHA512
501410b8fae55a54900104ce3b1e8a3a2d3668e31043708259f1617ed00d3bc58c0841097429ff8ed6caf5f5448dfd8b650ceb726df9fff7dc014dda72064cb0

Download Submit
C:\Windows\g3.exe

Filesize
76KB

MD5
08f3b0ba718aaf3ea2bec4b70472a7f1

SHA1
27202d46630a1b006f8f14de64beb7a8efc9ae6e

SHA256
313c8feed49b6a7600986fda3e9641e8ef85d027b25648a1b15be9d74cb55a43

SHA512
2772b9d7aa945daabc8e1681562789fe3ac7c388c0bc34f649be8e4f368fc54aa7e506bd50db9dd28acf3ebf352ac7d82c3fd4439c8ac29a11f9f73e0d622ac9

Download Submit
C:\Windows\update.exe

Filesize
144KB

MD5
5a954ea67eff2254ed20d2592be7ae22

SHA1
59d07e9e928d319b910774f60448693e4e89530b

SHA256
b8d15f19291773c61262666424b18eb5dfbdb0b795b2dd09539da88b48a05b43

SHA512
f91e1ec4b97fc37222134db92477ee986ff5226e2ee06dbc7436c4c201f440118b95c5781ebb73e1e86ac991945e0c7ba7f99abeb15048ddd205b29f441e6c2a

Download Submit
memory/1600-26-0x0000000000400000-0x0000000000463A40-memory.dmp

Filesize
398KB

Download
memory/1600-56-0x0000000000400000-0x0000000000463A40-memory.dmp

Filesize
398KB

Download
memory/4392-9-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/4392-12-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/4796-21-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads