7b313230fb9758d739408f1a8604c97ed72139965973cd7572d4f3d85467878a

General

Target

d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
Size

163KB
MD5

d36aba9e982311c61b2d06fc96a357d2
SHA1

953eda57561ba81f6d51a316ab0f46c007797546
SHA256

7b313230fb9758d739408f1a8604c97ed72139965973cd7572d4f3d85467878a
SHA512

dc5664336e4ff811fa51f53d77fd92ce49153a4c2a96291036988e8272b68f4a6a0065b06c7958b29a0377071ad493716d4613cc431aacedc84ef78da4fa3664
SSDEEP

3072:AcdhTDWKN9JuB/RVgU974KlGro2UWQRtgxC6c3ovNRdNUirqSmF7Nv5D:ACTDdZmVJ974KlGM/g46cYVWimF7hV

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	a11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	a11.exe

Executes dropped EXE 3 IoCs

pid	Process
1448	QvodSetupPlus3.exe
2280	a11.exe
2388	~25946457.exe

Loads dropped DLL 8 IoCs

pid	Process
2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe
2280	a11.exe
2280	a11.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122ea-3.dat	upx
behavioral1/files/0x0009000000016d58-18.dat	upx
behavioral1/memory/2108-13-0x00000000020D0000-0x00000000020E0000-memory.dmp	upx
behavioral1/memory/2108-5-0x0000000002820000-0x0000000002877000-memory.dmp	upx
behavioral1/memory/1448-25-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2280-26-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2280-29-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1448-28-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2280-43-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1448-42-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-64-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-68-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-72-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-74-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-78-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-82-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1448-84-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\kNssb.exe"	a11.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kNssb.exe	a11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QvodSetupPlus3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~25946457.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2280	a11.exe
2388	~25946457.exe
2388	~25946457.exe
2388	~25946457.exe
2388	~25946457.exe
2388	~25946457.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	a11.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe
1448	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 1448	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2280	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	32
PID 2108 wrote to memory of 2280	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	32
PID 2108 wrote to memory of 2280	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	32
PID 2108 wrote to memory of 2280	2108	d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2388	2280	a11.exe	33
PID 2280 wrote to memory of 2388	2280	a11.exe	33
PID 2280 wrote to memory of 2388	2280	a11.exe	33
PID 2280 wrote to memory of 2388	2280	a11.exe	33
PID 2388 wrote to memory of 2884	2388	~25946457.exe	34
PID 2388 wrote to memory of 2884	2388	~25946457.exe	34
PID 2388 wrote to memory of 2884	2388	~25946457.exe	34
PID 2388 wrote to memory of 2884	2388	~25946457.exe	34

C:\Users\Admin\AppData\Local\Temp\d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d36aba9e982311c61b2d06fc96a357d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\a11.exe
  "C:\Users\Admin\AppData\Local\Temp\a11.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\~25946457.exe
    C:\Users\Admin\AppData\Local\Temp\~25946457.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a11.exe

Filesize
27KB

MD5
a4e2d7a6d6cda6e48d831f25a17438b8

SHA1
5ff025e8f06b3d28439b1a8be93bd65ddc091d7d

SHA256
610092a1dbd9d6b43efe9f11796e0d755c41c1afe9f76a4ec72e478c03d4e071

SHA512
bcf2807596d4dee56d7ae975a6b4b9ed64fcb9aee6d122ea2e0d431c0a33bc25090757142157efae2860055e3510b5aa6cdb6c0a8c54e527f5f8817e5314cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~25946457.exe

Filesize
8KB

MD5
e1962d025f6daa7c271b6f010130c618

SHA1
121d372db3134650cba79879cc416ec9bebb05ff

SHA256
e7f2b87dbc4b24e8731c760f9d6f0d65a04c1eb25bf976fef5703d4367fa3280

SHA512
86fd53050f431be4a09deadb808c85726aa9eae34e96cff260c033f7b4b9d584618d75101ffa8e732c27938be833031db1edd1de603ea7c7cef865b0707ff6b0

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
149KB

MD5
a3de6c880f4fbe1c2fdae63bed2587c5

SHA1
d24408ca4349f83b66409e773fab10863469a1f6

SHA256
eae20a59c483e08d98b03e9367af8069ae78133240f0ad73077db1f5f63c1e39

SHA512
218523a61e1cb2da1e2f92170965bcb51f3dc006365be606cd3d19fe8abe54c6c59674c161febdeacdc0fa8974a5ed1bfe00471c1762184026646cbc9881d12e

Download Submit
memory/1448-27-0x00000000002C0000-0x0000000000317000-memory.dmp

Filesize
348KB

Download
memory/1448-28-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-23-0x00000000033A0000-0x00000000035A4000-memory.dmp

Filesize
2.0MB

Download
memory/1448-84-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-82-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-25-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-78-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-74-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-72-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-24-0x00000000033A0000-0x00000000035A4000-memory.dmp

Filesize
2.0MB

Download
memory/1448-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1448-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2108-19-0x0000000000400000-0x000000000042A5D0-memory.dmp

Filesize
169KB

Download
memory/2108-0-0x0000000000400000-0x000000000042A5D0-memory.dmp

Filesize
169KB

Download
memory/2108-5-0x0000000002820000-0x0000000002877000-memory.dmp

Filesize
348KB

Download
memory/2108-13-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/2280-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads