16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940

General

Target

89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Size

221KB
MD5

89759ff8befbf5d841e10aab7d60ccb8
SHA1

28d243ecf7f97c31a289f3f998861113b5a9d435
SHA256

16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940
SHA512

3efa3cdc266aae25d72b8c316d25d3ebbea02eb27306d330075b4aa53457608d2c53a25825ece310b8d8568d21fe7b93f0e0e5f73017a7612c3e69ffbf384e66
SSDEEP

3072:bqEH+GiEs2SMylNOjyFbxJr5qojW5SiUSv7q2reaSkJ+naWUnBgq9LIK7FskG8oD:OsehzRFxC5SiVLSa5JGFsZs2JKpW4gw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
980	QVODSE~1.EXE
1840	Setup8.exe
1216	tsbmsgaa.exe

Loads dropped DLL 1 IoCs

pid	Process
1216	tsbmsgaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	tsbmsgaa.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tsbmsgaa.exe	QVODSE~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVODSE~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
980	QVODSE~1.EXE
980	QVODSE~1.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1840	Setup8.exe
1840	Setup8.exe
1840	Setup8.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1840	Setup8.exe
1840	Setup8.exe
1840	Setup8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 980	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	91
PID 1996 wrote to memory of 980	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	91
PID 1996 wrote to memory of 980	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	91
PID 980 wrote to memory of 4176	980	QVODSE~1.EXE	92
PID 980 wrote to memory of 4176	980	QVODSE~1.EXE	92
PID 980 wrote to memory of 4176	980	QVODSE~1.EXE	92
PID 1996 wrote to memory of 1840	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	94
PID 1996 wrote to memory of 1840	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	94
PID 1996 wrote to memory of 1840	1996	89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe	94
PID 4176 wrote to memory of 1216	4176	cmd.exe	95
PID 4176 wrote to memory of 1216	4176	cmd.exe	95
PID 4176 wrote to memory of 1216	4176	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\tsbmsgaa.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\tsbmsgaa.exe
      C:\Windows\system32\tsbmsgaa.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4348,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F97.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE

Filesize
125KB

MD5
8200d8aa567e728a8b9a303f717f771a

SHA1
a4c3fa13847873e27ca4459cc5db972b6e043468

SHA256
a9ff33fa335035d12169c85a711f8f8875743d88a9c0807f5668028601eba806

SHA512
eab1ad28df174b3750c4747909a1f52dabcd714d05a5665d8058040cda172d1f50dc17379e2da451553f2ee9d1aa5b84003926598c3bba4c8aaf0e15c96851c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe

Filesize
297KB

MD5
e6859c9a14016562fd6b7a4fc2d063f0

SHA1
d103b8185bc56fbc86aa0a110b022d5801552cc0

SHA256
9ab7142e21013ada234c176b57684547e1e55570b5cde694f08f7e497c0e2fb7

SHA512
38c24f9685adcad166e57f1ccc15a45c9267b14f313151ed1ff434633705d7435a73b6a00369c2e9b5c50573d64809111940c59b1ff4ba185e03f92d32fb8868

Download Submit
C:\Windows\SysWOW64\tsbmsgaa.exe

Filesize
49KB

MD5
9f8ff0afc4967c39cf43d014acdaac97

SHA1
ef699bc0b7a3d280420c5fdb9f3274c6730d42da

SHA256
cbaee1978832a44c0e8cfef854192f0d507de1e44d9190c9e615ee35be11ab1e

SHA512
41324155f5b87a1c62af8f807578fa598c5de1d54561771663c44ea22d5322e54437881ef0d361d3d939be1e57feb9171f7038ed1d02e484bc838c251116b5bf

Download Submit
memory/980-8-0x0000000000EB0000-0x0000000000ED2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads