fea63acefa5a9667f861330e52a60e93cb8a28878987ef7f4a1a51824d68528a

General

Target

ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe
Size

260KB
MD5

ea97a6a532bc926e40f2f1da11fb0fd7
SHA1

4f6ce97f457de83c78956b4d79f80054736415b6
SHA256

fea63acefa5a9667f861330e52a60e93cb8a28878987ef7f4a1a51824d68528a
SHA512

411ef0b3e69c7cb394a2b37676c2b2798be8ff81ddf48599755a0d27fbdf0bd198b9db01b51497d92cd7b6dda2d9497401870ba1e3b1f5b3348c7d0f68bb8a9c
SSDEEP

3072:+eLeUjGXzojTtWC86tTBfK1tXdO/fCccixj/GZ7XmplPSjZpnlJc/Smg1FXtDGwN:0UkzyTs6tTBzDetEmpnncqr1FXtyhq5

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3124	QvodSetupPlus3.exe
540	c08.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RunmeAtStartup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\c08.exe"	c08.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\xvhost.sb	c08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QvodSetupPlus3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe
1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe
540	c08.exe
540	c08.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3124	QvodSetupPlus3.exe
3124	QvodSetupPlus3.exe
3124	QvodSetupPlus3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3124	QvodSetupPlus3.exe
3124	QvodSetupPlus3.exe
3124	QvodSetupPlus3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
540	c08.exe
540	c08.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3124	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	82
PID 1328 wrote to memory of 3124	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	82
PID 1328 wrote to memory of 3124	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	82
PID 1328 wrote to memory of 540	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	83
PID 1328 wrote to memory of 540	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	83
PID 1328 wrote to memory of 540	1328	ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea97a6a532bc926e40f2f1da11fb0fd7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetupPlus3.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\Temp\c08.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\c08.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetupPlus3.exe

Filesize
285KB

MD5
d493f86ebc2b7319c4cb28b9a0215a97

SHA1
415a94e3063e6f50d4c44a56b21b3884380bf2a8

SHA256
bdeb16f75d649bfd70e6f4d08c533b9e2747491013f9c73db08b43817e60387c

SHA512
56c0dbeda7c889b5583b65514e8e72f95631d13daffee64a55b8856f3ce653504da1fec691d308c9a4437f3b1460d2f1fcaf6db192cf8b15883ee490caf4dd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\c08.exe

Filesize
18KB

MD5
e8a1c45a5b5b5fbb4d01e1dab68d7c80

SHA1
4df8bd4430914ab21d5f14f596eba3548838a100

SHA256
73ded9c348b2fe4fb2c67353cd814004e224ad33782bb8e9d196f830a41cddc8

SHA512
9a75fcc78864a59ed8883b0fbfae26a86b6d27de39b05cf3ba8e6a163b9438d07dbcc1899cdc8e4e3acab093291c0bdd11d75077b96f881bbfb1a639777658d3

Download Submit
memory/540-21-0x0000000000400000-0x0000000000405AA0-memory.dmp

Filesize
22KB

Download
memory/540-24-0x0000000000400000-0x0000000000405AA0-memory.dmp

Filesize
22KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads