827af611722213ebbc81a95e750d31eb9746d457243d4e5598ef040a09aacaee

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe
Size

368KB
MD5

3ca92ae7617a7aa37a7c9d09a501c732
SHA1

f5a1801e5fc2d5e962bb6d915801d68bbb611a41
SHA256

827af611722213ebbc81a95e750d31eb9746d457243d4e5598ef040a09aacaee
SHA512

38835a0c23439bd004fb25ef86e57edacf99e90873b5ec765acb2a05cfae4090af752954569cceb06b52cc7f1d40e663ff42433f8c8a5d00134fa95d5bfcb366
SSDEEP

3072:RSrFhsP2MQK4v2oPl6VA6rAHBr9uu3q6FDvZuHlYq99oc:crFyP7QR6aSAR9uanFDvZy9h

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	qomicz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	FSURMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	qazbqda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	gikbx.exe

Executes dropped EXE 6 IoCs

pid	Process
1120	qomicz.exe
3520	FSURMD.exe
2480	qazbqda.exe
4196	lcvyokzy.exe
216	gikbx.exe
4488	azdyacaj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SXORFELCCJ = "C:\\Windows\\system32\\qazbqd.exe"	FSURMD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RFELCCJYRW = "C:\\Program Files\\Outlook Express\\qazbqdakf.exe"	FSURMD.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	FSURMD.exe
File opened (read-only)	\??\p:	FSURMD.exe
File opened (read-only)	\??\v:	FSURMD.exe
File opened (read-only)	\??\h:	lcvyokzy.exe
File opened (read-only)	\??\v:	lcvyokzy.exe
File opened (read-only)	\??\l:	FSURMD.exe
File opened (read-only)	\??\q:	FSURMD.exe
File opened (read-only)	\??\u:	FSURMD.exe
File opened (read-only)	\??\w:	FSURMD.exe
File opened (read-only)	\??\i:	lcvyokzy.exe
File opened (read-only)	\??\b:	FSURMD.exe
File opened (read-only)	\??\q:	lcvyokzy.exe
File opened (read-only)	\??\r:	lcvyokzy.exe
File opened (read-only)	\??\e:	FSURMD.exe
File opened (read-only)	\??\g:	FSURMD.exe
File opened (read-only)	\??\j:	FSURMD.exe
File opened (read-only)	\??\k:	FSURMD.exe
File opened (read-only)	\??\b:	lcvyokzy.exe
File opened (read-only)	\??\n:	lcvyokzy.exe
File opened (read-only)	\??\r:	FSURMD.exe
File opened (read-only)	\??\s:	FSURMD.exe
File opened (read-only)	\??\z:	lcvyokzy.exe
File opened (read-only)	\??\t:	FSURMD.exe
File opened (read-only)	\??\l:	lcvyokzy.exe
File opened (read-only)	\??\x:	lcvyokzy.exe
File opened (read-only)	\??\o:	lcvyokzy.exe
File opened (read-only)	\??\t:	lcvyokzy.exe
File opened (read-only)	\??\h:	FSURMD.exe
File opened (read-only)	\??\y:	FSURMD.exe
File opened (read-only)	\??\e:	lcvyokzy.exe
File opened (read-only)	\??\j:	lcvyokzy.exe
File opened (read-only)	\??\u:	lcvyokzy.exe
File opened (read-only)	\??\n:	FSURMD.exe
File opened (read-only)	\??\z:	FSURMD.exe
File opened (read-only)	\??\g:	lcvyokzy.exe
File opened (read-only)	\??\k:	lcvyokzy.exe
File opened (read-only)	\??\w:	lcvyokzy.exe
File opened (read-only)	\??\y:	lcvyokzy.exe
File opened (read-only)	\??\i:	FSURMD.exe
File opened (read-only)	\??\x:	FSURMD.exe
File opened (read-only)	\??\m:	lcvyokzy.exe
File opened (read-only)	\??\s:	lcvyokzy.exe
File opened (read-only)	\??\p:	lcvyokzy.exe
File opened (read-only)	\??\m:	FSURMD.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qazbqd.exe	FSURMD.exe
File opened for modification	C:\Windows\SysWOW64\qazbqd.exe	FSURMD.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\gikbx.exe	qazbqda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\FSURMD.exe	qomicz.exe
File created	C:\Program Files\Outlook Express\qazbqdakf.exe	FSURMD.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\qazbqda.exe	FSURMD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1120	4916	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe	86
PID 4916 wrote to memory of 1120	4916	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe	86
PID 4916 wrote to memory of 1120	4916	3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe	86
PID 1120 wrote to memory of 3520	1120	qomicz.exe	87
PID 1120 wrote to memory of 3520	1120	qomicz.exe	87
PID 1120 wrote to memory of 3520	1120	qomicz.exe	87
PID 3520 wrote to memory of 2480	3520	FSURMD.exe	88
PID 3520 wrote to memory of 2480	3520	FSURMD.exe	88
PID 3520 wrote to memory of 2480	3520	FSURMD.exe	88
PID 2480 wrote to memory of 4196	2480	qazbqda.exe	89
PID 2480 wrote to memory of 4196	2480	qazbqda.exe	89
PID 2480 wrote to memory of 4196	2480	qazbqda.exe	89
PID 2480 wrote to memory of 216	2480	qazbqda.exe	90
PID 2480 wrote to memory of 216	2480	qazbqda.exe	90
PID 2480 wrote to memory of 216	2480	qazbqda.exe	90
PID 216 wrote to memory of 4488	216	gikbx.exe	91
PID 216 wrote to memory of 4488	216	gikbx.exe	91
PID 216 wrote to memory of 4488	216	gikbx.exe	91

C:\Users\Admin\AppData\Local\Temp\3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ca92ae7617a7aa37a7c9d09a501c732_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe" qomiczwqy.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files\dotnet\shared\FSURMD.exe
    "C:\Program Files\dotnet\shared\FSURMD.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Program Files\Common Files\microsoft shared\ink\qazbqda.exe
      "C:\Program Files\Common Files\microsoft shared\ink\qazbqda.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Documents and Settings\lcvyokzy.exe
        
        "C:\Documents and Settings\lcvyokzy.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:4196
    - - C:\Program Files\7-Zip\Lang\gikbx.exe
        
        "C:\Program Files\7-Zip\Lang\gikbx.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\PerfLogs\azdyacaj.exe
        
        "C:\PerfLogs\azdyacaj.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe
        6⤵
        Executes dropped EXE
        
        PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\shared\FSURMD.exe

Filesize
208KB

MD5
2e506d1f4abd683ddb80ecf058e6fd21

SHA1
71786e7ac2f3c537f5aafec752ee7336964692d0

SHA256
ad49d1ca06292b1635211bdd33b76d8c4a89f35e07689f5ae4676a90343055d6

SHA512
3c45507f7e44ebe875458746e26211acce5afdb31e8e5b3ce7329ba1e046834714d041523cac6de58e6cbcf9068e8b43de93d841b470eb8e9927608c072272c8

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\qomicz.exe

Filesize
368KB

MD5
3ca92ae7617a7aa37a7c9d09a501c732

SHA1
f5a1801e5fc2d5e962bb6d915801d68bbb611a41

SHA256
827af611722213ebbc81a95e750d31eb9746d457243d4e5598ef040a09aacaee

SHA512
38835a0c23439bd004fb25ef86e57edacf99e90873b5ec765acb2a05cfae4090af752954569cceb06b52cc7f1d40e663ff42433f8c8a5d00134fa95d5bfcb366

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads