ac9c49345037928dbff133e3fffc52f4a6a090f7d4e02825549ed6df621ad074

General

Target

3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Size

60KB
MD5

3a5fcb6c6500140fd2be9b603a5b25bf
SHA1

fd905798f5e0f4d9c3dcb74e7d595d93c4e21ddf
SHA256

ac9c49345037928dbff133e3fffc52f4a6a090f7d4e02825549ed6df621ad074
SHA512

21d0ccbc4080c0536d8f7b7f469f5181b6699cd4c19bcbb6f471ff1c034a17b8be345e28bd457959dae9928736a17e536124762b708b7df2e1f45616031b7200
SSDEEP

768:VWu3YUFlLUyNuDcg4yHCN+e/KYIEnIOX4fQGW8B0eaVAy+0ZEqhlNC+NPKwV9O+B:FldNuDXHC1iZExj8BLy/ZDhlw+sYQ+B

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	QILTY4ZEGIYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3248	RZ0AKDVU.exe
5108	KPH562B.com
5096	KPH562B.com
1760	QILTY4ZEGIYZ.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RZ0AKDVU.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RZ0AKDVU.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\QILTY4ZEGIYZ.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\QILTY4ZEGIYZ.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RZ0AKDVU.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\12528438.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\12528438.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KPH562B.com	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KPH562B.com	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KPH562B.com	KPH562B.com
File created	C:\Windows\SysWOW64\MBOQILM.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1760	QILTY4ZEGIYZ.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
3248	RZ0AKDVU.exe
3248	RZ0AKDVU.exe
3248	RZ0AKDVU.exe
3248	RZ0AKDVU.exe
3248	RZ0AKDVU.exe
5108	KPH562B.com
5096	KPH562B.com
5096	KPH562B.com
5096	KPH562B.com
5096	KPH562B.com
5096	KPH562B.com
1760	QILTY4ZEGIYZ.exe
1760	QILTY4ZEGIYZ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	86
PID 3208 wrote to memory of 216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	86
PID 3208 wrote to memory of 216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	86
PID 3208 wrote to memory of 3248	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	88
PID 3208 wrote to memory of 3248	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	88
PID 3208 wrote to memory of 3248	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	88
PID 5108 wrote to memory of 5096	5108	KPH562B.com	90
PID 5108 wrote to memory of 5096	5108	KPH562B.com	90
PID 5108 wrote to memory of 5096	5108	KPH562B.com	90
PID 3208 wrote to memory of 1760	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	91
PID 3208 wrote to memory of 1760	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	91
PID 3208 wrote to memory of 1760	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	91
PID 3208 wrote to memory of 2216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	92
PID 3208 wrote to memory of 2216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	92
PID 3208 wrote to memory of 2216	3208	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	92
PID 1760 wrote to memory of 2372	1760	QILTY4ZEGIYZ.exe	94
PID 1760 wrote to memory of 2372	1760	QILTY4ZEGIYZ.exe	94
PID 1760 wrote to memory of 2372	1760	QILTY4ZEGIYZ.exe	94

C:\Users\Admin\AppData\Local\Temp\3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\RZ0AKDVUP.bat
  2⤵
  PID:216
- C:\Windows\SysWOW64\RZ0AKDVU.exe
  C:\Windows\system32\RZ0AKDVU.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:3248
- C:\Windows\SysWOW64\QILTY4ZEGIYZ.exe
  "C:\Windows\system32\QILTY4ZEGIYZ.exe" -jscript
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\QILTY4~1.EXE > nul
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3A5FCB~1.EXE > nul
  2⤵
  PID:2216

C:\Windows\SysWOW64\KPH562B.com
C:\Windows\SysWOW64\KPH562B.com -kLocalService
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\KPH562B.com
  C:\Windows\SysWOW64\KPH562B.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RZ0AKDVUP.bat

Filesize
1KB

MD5
721b7502a0dcf3024f475cc7eccff345

SHA1
0945235d95bb88c1df85f87cb96e84556586a471

SHA256
5d557f7dd29204f1bbe3821529bbe8387ca1289f0b7754db56f81920a00a08fa

SHA512
74c181b6507d740ba4cc67da5834b94cdd2f38370a5f5abca708b0c129f231345d420e0545bcb0244523b77addb4705042df0a7646c64aa8237c86b08716a0b8

Download Submit
C:\Windows\SysWOW64\12528438.txt

Filesize
35B

MD5
033f66b95313e1ca55b1391c08480580

SHA1
25b5749cf9716c560a5d90936ff721904ffc8042

SHA256
191ee2d7205c9feaafdac05e1843738d1c63ad1c63679b1212383ad6d0a0a180

SHA512
46472a5d7ff5259716f9878004b78ebfcc49d1c35c5ff9dbcc3b048799dd96edebc69eca2b23431e44784aef069d8d380c1dc75dd3a05c8953ca285b46756cbc

Download Submit
C:\Windows\SysWOW64\QILTY4ZEGIYZ.exe

Filesize
24KB

MD5
72acc2edb98f5ab3e1b23e8f19f71de0

SHA1
5196ef0f8f0757068d525b729537afe9dc64a53f

SHA256
119b12d33a466f3085c4280987355c636e7250073a263cd2e82312fd5282d66b

SHA512
92edd41d986d97de49e115d15e3e5827e5ec741c190b7cefe21c887e102a139d4078357d8454b2bb8ff119e6ad50a1b5154f6795e6112ab804a1724c2c17839c

Download Submit
C:\Windows\SysWOW64\RZ0AKDVU.exe

Filesize
44KB

MD5
677b2627cf1131549e18893b1d9d4374

SHA1
47542beb77b5a153d201553d1acd90da592c1d58

SHA256
7bc93272147d647ec80c9cc1da44734d4fb2f0d29d15f53f42cf113cf65c6b89

SHA512
88a95eec90ac26f7941ff36f75815a959b7faaddb65a624fe27dea48885e1db4a7842d990095a835dc392cc02581762c15de12b024c2f608679977c31855c4f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads