74f7681392fa6d1d6c62467d8a9b3ab60df26820ce60fad04585b7cb68d444b1

General

Target

4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe
Size

526KB
MD5

4c534640c1640866fb3f340b7f2f097b
SHA1

87335d6780313da3243963768c56a1d57da4ffba
SHA256

74f7681392fa6d1d6c62467d8a9b3ab60df26820ce60fad04585b7cb68d444b1
SHA512

7b66b294999d9266a476e40e0b263197a499207a7d82c7cf22b1ad55bf458a281dc967b273255665f2232c4698365ac483735412bd7248ecc8c8e17a543e3ab5
SSDEEP

12288:FVpo70X4yQySH6u40Prkl84/0zGoPqLbI16MMcxwireV:F3+0Xh46N+2czaPE6MHxw7

Score

8^/10

persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	qvodplay7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	qvodplay7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
996	QvodSetup5.exe
4452	qvodplay7.exe
976	~24065665.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002326e-5.dat	upx
behavioral2/memory/996-17-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/files/0x00080000000234bd-20.dat	upx
behavioral2/memory/4452-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4452-31-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/996-30-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/4452-33-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4452-34-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/996-35-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/4452-36-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/996-45-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/4452-46-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/996-49-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/996-51-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/996-59-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/996-65-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\0xFso.exe"	qvodplay7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0xFso.exe	qvodplay7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
4452	qvodplay7.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe
976	~24065665.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	qvodplay7.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
996	QvodSetup5.exe
996	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
996	QvodSetup5.exe
996	QvodSetup5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 996	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	84
PID 1476 wrote to memory of 996	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	84
PID 1476 wrote to memory of 996	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	84
PID 1476 wrote to memory of 4452	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	85
PID 1476 wrote to memory of 4452	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	85
PID 1476 wrote to memory of 4452	1476	4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe	85
PID 4452 wrote to memory of 976	4452	qvodplay7.exe	99
PID 4452 wrote to memory of 976	4452	qvodplay7.exe	99
PID 4452 wrote to memory of 976	4452	qvodplay7.exe	99
PID 976 wrote to memory of 3008	976	~24065665.exe	100
PID 976 wrote to memory of 3008	976	~24065665.exe	100
PID 976 wrote to memory of 3008	976	~24065665.exe	100

C:\Users\Admin\AppData\Local\Temp\4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c534640c1640866fb3f340b7f2f097b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:996
- C:\Users\Admin\AppData\Local\Temp\qvodplay7.exe
  "C:\Users\Admin\AppData\Local\Temp\qvodplay7.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\~24065665.exe
    C:\Users\Admin\AppData\Local\Temp\~24065665.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvodplay7.exe

Filesize
29KB

MD5
1a3440da9f8f5cad3319d8b2e17772be

SHA1
fb3c6ec93d7d15228f77d71651a8f24a1a35facf

SHA256
09c7ece20c9b50b0d272cc40c45a965d289a9ae73441a0b893de3c9532aeeae3

SHA512
b22e08e4fc4a4acb760a3d56992b9d73f1ccb5ac2eaff04f66587b55b3a3396f3760840c50e7800f1e51cd95ef95f6d70a41e6c3766ed60cb41ada85920c5e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\~24065665.exe

Filesize
8KB

MD5
1c85b838536b8027027ed9a9019f6e57

SHA1
193086e31000ad275b91798e6ab2bf1823f28fb7

SHA256
513684483d92bef7b9ea5f279b47cededbfa059bd7688f0944cd9c3e0a7c4c3c

SHA512
7fa2da850652713edc6e187d0014f12ae877d8f6699160a4e0b1ed6d8163279316ace4d81373ee98f22a7f5b816f81a531af1a23c0e9ebb35546e9f8e0d9e25c

Download Submit
memory/996-23-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/996-65-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-45-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-59-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-51-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-35-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-49-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/996-17-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1476-22-0x0000000000400000-0x0000000000485398-memory.dmp

Filesize
532KB

Download
memory/1476-0-0x0000000000400000-0x0000000000485398-memory.dmp

Filesize
532KB

Download
memory/4452-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4452-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4452-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4452-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4452-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4452-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads