2a1a4eb9f1a069a3ece92f59d1f006d7bd4302c8f8b84ea17287508abec27617

General

Target

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Size

216KB
MD5

759cb0d26b7a581bbe57f735496e8433
SHA1

7d80b96280bb0f351d624ecf087dbb7b9051b27b
SHA256

2a1a4eb9f1a069a3ece92f59d1f006d7bd4302c8f8b84ea17287508abec27617
SHA512

4e33f6b9cf255762f005e7eb0b921e14ffe5662b5649a583dada86178d43543ef929197ea47c5a3122f91c6d7b5a74551fe5c16b0e1514a0b4c7ac148ab08290
SSDEEP

3072:cPWW5YMreReY93x+DNX2mBlGg9H2Y23JWRdmgODOiwv8+0X9C93vavpx:ujmlReg3qNGmCuVmJYXmQ8+0XMavpx

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ycqako.exe

pid process

2800 ycqako.exe

pid	process
2800	ycqako.exe

Loads dropped DLL 4 IoCs

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

pid	process
2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
2800	ycqako.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\ycqako.exe reg_run"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winsync = "C:\\Windows\\system32\\ycqako.exe reg_run"	ycqako.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	ycqako.exe

Drops file in System32 directory 11 IoCs

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
File created	C:\Windows\SysWOW64\qkguv.dat	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ycqako.exe	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kdvvcbf.exe	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ycqako.exe	ycqako.exe
File created	C:\Windows\SysWOW64\qkguv.dat	ycqako.exe
File opened for modification	C:\Windows\SysWOW64\qnspaue.dll	ycqako.exe
File opened for modification	C:\Windows\SysWOW64\kdvvcbf.exe	ycqako.exe
File opened for modification	C:\Windows\SysWOW64\gwqml.dll	ycqako.exe
File created	C:\Windows\SysWOW64\ycqako.exe	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qnspaue.dll	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gwqml.dll	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

description ioc process

File created C:\Windows\eiupt.dll 759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\eiupt.dll	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycqako.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ycqako.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ycqako.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ycqako.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ycqako.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

Modifies registry class 18 IoCs

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exeycqako.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\ProgId\ = "rrfxijej.class"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\ = "rrfxijej.class"	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\InProcServer32\ = "C:\\Windows\\SysWow64\\gwqml.dll"	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\InProcServer32\ThreadingModel = "Apartment"	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\ProgId\ = "rrfxijej.class"	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\InProcServer32\ThreadingModel = "Apartment"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gxsyqkfk\ = "{6b1148ad-7f71-487a-a1c3-e40fae90a35b}"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}	ycqako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\ProgId	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gxsyqkfk\ = "{4732ff0c-a4a0-47ad-8a32-a894a415907e}"	ycqako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gxsyqkfk	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gxsyqkfk	ycqako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\ = "rrfxijej.class"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\InProcServer32	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\InProcServer32\ = "C:\\Windows\\SysWow64\\gwqml.dll"	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}\ProgId	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4732ff0c-a4a0-47ad-8a32-a894a415907e}\InProcServer32	ycqako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b1148ad-7f71-487a-a1c3-e40fae90a35b}	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe

description	pid	process	target process
PID 2384 wrote to memory of 2800	2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe	ycqako.exe
PID 2384 wrote to memory of 2800	2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe	ycqako.exe
PID 2384 wrote to memory of 2800	2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe	ycqako.exe
PID 2384 wrote to memory of 2800	2384	759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe	ycqako.exe

C:\Users\Admin\AppData\Local\Temp\759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\759cb0d26b7a581bbe57f735496e8433_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\ycqako.exe
unknown
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
PID:2800

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kdvvcbf.exe
Filesize
28KB

MD5
adf22e6bd68df549ba48e01210415700

SHA1
10f21def0b3a2daa0ceb63c74d8aaeda7805a5f9

SHA256
6ab33825e98a67357ad3f1bd01c6ca7b7f963a0fac7c0d88f7e36174e184907a

SHA512
74d2d2d8ea72a2adb15f1e948c2b2ba4024e26809ff207700a07247b5fd9d63fa83b78c06bba4403ff830ca401895f730790441eedc1a7440a119715733a7a71

Download Submit
C:\Windows\SysWOW64\qnspaue.dll
Filesize
65KB

MD5
4156d29b461f25955b45b32d834d4e54

SHA1
5cfbdf2891c5e367e99b56fad6a1c0a60d662119

SHA256
c9a8fce2609751f7ab36be81000267a02a7d3457941e1180d9c45a3b95472f07

SHA512
ed5861acf11db457589a6fe1eadf0072ec9a2d88ad4c08d6f26cd1e08ef9a4558424d1f6d65c5b1719d009cd04589a754e3b279090e4e46845bd09cc0659146c

Download Submit
C:\Windows\eiupt.dll
Filesize
24B

MD5
b0dc572965ce011f709cf2a5253ef4d4

SHA1
0b54536599f79086e91653f8ef6cdeb94bbdec2b

SHA256
53d498d335b6afcc372eec443d63435bc89f1130cb0d2052b9b483e8939a4ec8

SHA512
329876a251cff99abb70b0e3afcbe7a690d9a98a8890426b1e561f5a77d2e32cae23c58c0023ba24dfce189d6f3d059f9a567d82b3c05726db0b1b537a181579

Download Submit
\Windows\SysWOW64\gwqml.dll
Filesize
23KB

MD5
c24a9838f27d9a1da34db522cb2823df

SHA1
7cbc906413095380a8dea42149789feb3efb5f3b

SHA256
6cfdab5b52ae4760d51167878a3b056283bf7ca3efdae0bdf66c35b9464bff5d

SHA512
79838d3ea21d369832a28f94c34881ad4e44f5712f2cf3b9a0dacd1751cacf706a6110ffeebd4d7cc4b102bd77c5e064d2f323f73c2123e86e8da7321632ba2b

Download Submit
\Windows\SysWOW64\ycqako.exe
Filesize
216KB

MD5
759cb0d26b7a581bbe57f735496e8433

SHA1
7d80b96280bb0f351d624ecf087dbb7b9051b27b

SHA256
2a1a4eb9f1a069a3ece92f59d1f006d7bd4302c8f8b84ea17287508abec27617

SHA512
4e33f6b9cf255762f005e7eb0b921e14ffe5662b5649a583dada86178d43543ef929197ea47c5a3122f91c6d7b5a74551fe5c16b0e1514a0b4c7ac148ab08290

Download Submit
memory/2384-11-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2384-21-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads