3233a4c9c32c0712430ad93bfea7f4abe51ec8cfacea3901e867e791f1cf9996

General

Target

effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe
Size

164KB
MD5

effb049618cd0ae43b58b4e42b9f0c29
SHA1

54a287b4c9284c7020a11b8906c5133d41ddcf19
SHA256

3233a4c9c32c0712430ad93bfea7f4abe51ec8cfacea3901e867e791f1cf9996
SHA512

38e5ab16a0a6b59368156ef0061806d6b7cccc07b046eb578afdabd3fa6b1aff5b70714f1a52ccb214b8d35ba216006c11ee676f5352b277dccfd6675f1160a0
SSDEEP

3072:MU75c9bLFdy09JuB/RVgU974KlGro2UWQRtgxC6c3ovNRdNUirqSmF7Nv5D:MUStdHmVJ974KlGM/g46cYVWimF7hV

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	a7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
636	QvodSetupPlus3.exe
3996	a7.exe
3180	~24065290.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234a5-5.dat	upx
behavioral2/memory/636-16-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/files/0x00080000000234ac-20.dat	upx
behavioral2/memory/3996-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/636-23-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3996-25-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3996-26-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/636-27-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3996-28-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/636-39-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3996-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/636-43-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-45-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-49-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-53-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-55-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-59-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\4j4fV.exe"	a7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\4j4fV.exe	a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QvodSetupPlus3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~24065290.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3996	a7.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe
3180	~24065290.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	a7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
636	QvodSetupPlus3.exe
636	QvodSetupPlus3.exe
636	QvodSetupPlus3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
636	QvodSetupPlus3.exe
636	QvodSetupPlus3.exe
636	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 636	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	82
PID 4840 wrote to memory of 636	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	82
PID 4840 wrote to memory of 636	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	82
PID 4840 wrote to memory of 3996	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3996	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3996	4840	effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe	83
PID 3996 wrote to memory of 3180	3996	a7.exe	93
PID 3996 wrote to memory of 3180	3996	a7.exe	93
PID 3996 wrote to memory of 3180	3996	a7.exe	93
PID 3180 wrote to memory of 3464	3180	~24065290.exe	94
PID 3180 wrote to memory of 3464	3180	~24065290.exe	94
PID 3180 wrote to memory of 3464	3180	~24065290.exe	94

C:\Users\Admin\AppData\Local\Temp\effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\effb049618cd0ae43b58b4e42b9f0c29_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:636
- C:\Users\Admin\AppData\Local\Temp\a7.exe
  "C:\Users\Admin\AppData\Local\Temp\a7.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\~24065290.exe
    C:\Users\Admin\AppData\Local\Temp\~24065290.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
149KB

MD5
a3de6c880f4fbe1c2fdae63bed2587c5

SHA1
d24408ca4349f83b66409e773fab10863469a1f6

SHA256
eae20a59c483e08d98b03e9367af8069ae78133240f0ad73077db1f5f63c1e39

SHA512
218523a61e1cb2da1e2f92170965bcb51f3dc006365be606cd3d19fe8abe54c6c59674c161febdeacdc0fa8974a5ed1bfe00471c1762184026646cbc9881d12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7.exe

Filesize
28KB

MD5
e616eeb921c0f2a19c865186a8a513bd

SHA1
fbf9a40648f8e84d79b0b7e661fcdc4d6affa226

SHA256
037a474829182ae2c99b5ede8035bc443410b8f20c27541696f0431e5ea1d66d

SHA512
cbed9060d3ac58e44ad3480ca1f433a128a80700459890be1c9a898703a9b3eb168dad988be664c475298ff67db5ef4bc3133727e38bc2b9e546c079680ac161

Download Submit
C:\Users\Admin\AppData\Local\Temp\~24065290.exe

Filesize
8KB

MD5
b11eedcfda0d6285b0f350c4a9a08b2c

SHA1
1b920bf61d638af9225e3a42a0180c628ecb847f

SHA256
75601b8b8332d7879b3ad26000ce44135dd5b6477358c31f5952814741a54685

SHA512
0ccc1a3027e995c8baed31fe756891eb3be9ad55832f26fbe317b4143e188c09edca46bcd4cfd4a856797e5dcb295a4114a9547832145ec9da0609775edb7bb8

Download Submit
memory/636-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-59-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-43-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3996-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3996-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3996-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3996-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3996-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4840-0-0x0000000000400000-0x000000000042A8C7-memory.dmp

Filesize
170KB

Download
memory/4840-22-0x0000000000400000-0x000000000042A8C7-memory.dmp

Filesize
170KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads