ff9047d6b337e222f83b16b78674b5f55ec9a592a6dd379feb36168a9c3f57a0

General

Target

a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe
Size

164KB
MD5

a78e3e5ddb17eaef1a376a005c16ce90
SHA1

b6fdc1e495f7de096ae3e638ccd76e4110fe1094
SHA256

ff9047d6b337e222f83b16b78674b5f55ec9a592a6dd379feb36168a9c3f57a0
SHA512

54404fb4f10340b08b087bc7d3a78985116f2b5db5b77f5ef080a5361b6c758b14dbc34e0a03613f4bfe04d54012119ecc918804d3499d34d0e71b8ffa7f2d58
SSDEEP

3072:W8lI9JuB/RVgU974KlGro2UWQRtgxC6c3ovNRdNUirqSmF7Nv5D:WJmVJ974KlGM/g46cYVWimF7hV

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	a44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	a44.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2472	QvodSetupPlus3.exe
1404	a44.exe
4284	~24064092.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a0000000233c9-5.dat	upx
behavioral2/files/0x000800000002342d-16.dat	upx
behavioral2/memory/1404-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2472-18-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-23-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1404-25-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1404-26-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2472-27-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1404-28-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1404-30-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2472-39-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1404-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2472-43-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-45-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-47-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-49-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-51-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-55-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-57-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2472-59-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\R2Qon.exe"	a44.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\R2Qon.exe	a44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QvodSetupPlus3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~24064092.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
1404	a44.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe
4284	~24064092.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	a44.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2472	QvodSetupPlus3.exe
2472	QvodSetupPlus3.exe
2472	QvodSetupPlus3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2472	QvodSetupPlus3.exe
2472	QvodSetupPlus3.exe
2472	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2472	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	84
PID 2696 wrote to memory of 2472	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	84
PID 2696 wrote to memory of 2472	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	84
PID 2696 wrote to memory of 1404	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	85
PID 2696 wrote to memory of 1404	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	85
PID 2696 wrote to memory of 1404	2696	a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe	85
PID 1404 wrote to memory of 4284	1404	a44.exe	100
PID 1404 wrote to memory of 4284	1404	a44.exe	100
PID 1404 wrote to memory of 4284	1404	a44.exe	100
PID 4284 wrote to memory of 1860	4284	~24064092.exe	101
PID 4284 wrote to memory of 1860	4284	~24064092.exe	101
PID 4284 wrote to memory of 1860	4284	~24064092.exe	101

C:\Users\Admin\AppData\Local\Temp\a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a78e3e5ddb17eaef1a376a005c16ce90_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\a44.exe
  "C:\Users\Admin\AppData\Local\Temp\a44.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\~24064092.exe
    C:\Users\Admin\AppData\Local\Temp\~24064092.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
149KB

MD5
a3de6c880f4fbe1c2fdae63bed2587c5

SHA1
d24408ca4349f83b66409e773fab10863469a1f6

SHA256
eae20a59c483e08d98b03e9367af8069ae78133240f0ad73077db1f5f63c1e39

SHA512
218523a61e1cb2da1e2f92170965bcb51f3dc006365be606cd3d19fe8abe54c6c59674c161febdeacdc0fa8974a5ed1bfe00471c1762184026646cbc9881d12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a44.exe

Filesize
28KB

MD5
ae2bd0997c469d7282cce81526657b19

SHA1
f26a5ec472a1d1c6e6335fc0ba948788076cd115

SHA256
3f4511364b3727f113897d79ddb837780b7ad9177004365f14f4984aa3fb2385

SHA512
a25a83a1c17a55133c5d25611466f2cef804c2968ebac915f7c6202faa36aff6d4c988a1ed49e328d4c4faab8a9a43016e3e198fcc1d86a2c7fa3c80e39939b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~24064092.exe

Filesize
8KB

MD5
aa895b6310ae611fac946bcb9ddf7e6f

SHA1
427bd638a3d26ab9140f26bbfc1d9f6e4dda7ad9

SHA256
bf5c3e35dd91d27990f08f352a202a6b622616c87e22c83e76de645a3e6315f6

SHA512
a494dcebe62365ae5c816e44d31189dfb334556f343ebd49e4091688dde3c4d41b663cde0f43b9c8164e4a3e8b5367d8490d18040939e621170e741b238fc6eb

Download Submit
memory/1404-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1404-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1404-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1404-30-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1404-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1404-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2472-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-59-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-57-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-43-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2696-21-0x0000000000400000-0x000000000042A8CD-memory.dmp

Filesize
170KB

Download
memory/2696-0-0x0000000000400000-0x000000000042A8CD-memory.dmp

Filesize
170KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads