e50d55aebbd62b7598a5aac55cd2467fcb2752d3b7f88d645436b61c114ee6aa

General

Target

f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe
Size

526KB
MD5

f616d768627040f1f98660860f0bfcb8
SHA1

8484f820fd2ee40310620aa377a981a6f792880d
SHA256

e50d55aebbd62b7598a5aac55cd2467fcb2752d3b7f88d645436b61c114ee6aa
SHA512

3ea6b156c45ccc03ac8c07916895fa512b0c932a5f5dff35cf1196753688c162f4df14afced04f977c4deddf33b2ccf80d3b61099e80f5fe9da0b948e33a0232
SSDEEP

12288:wcib2po70X4yQySH6u40Prkl84/0zGoPqLbI16MMcxwireV:wcibw+0Xh46N+2czaPE6MHxw7

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	vodplay2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	vodplay2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
400	QvodSetup5.exe
3788	vodplay2.exe
4768	~24064914.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\oMdNA.exe"	vodplay2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oMdNA.exe	vodplay2.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a0000000233b1-5.dat	upx
behavioral2/files/0x000a000000023412-16.dat	upx
behavioral2/memory/3788-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/400-17-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/400-30-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/3788-31-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/400-32-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/3788-33-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3788-35-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3788-37-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3788-47-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/400-60-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QvodSetup5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vodplay2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~24064914.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
3788	vodplay2.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe
4768	~24064914.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	vodplay2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
400	QvodSetup5.exe
400	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
400	QvodSetup5.exe
400	QvodSetup5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 400	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	82
PID 1156 wrote to memory of 400	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	82
PID 1156 wrote to memory of 400	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	82
PID 1156 wrote to memory of 3788	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	83
PID 1156 wrote to memory of 3788	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	83
PID 1156 wrote to memory of 3788	1156	f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe	83
PID 3788 wrote to memory of 4768	3788	vodplay2.exe	93
PID 3788 wrote to memory of 4768	3788	vodplay2.exe	93
PID 3788 wrote to memory of 4768	3788	vodplay2.exe	93
PID 4768 wrote to memory of 4440	4768	~24064914.exe	94
PID 4768 wrote to memory of 4440	4768	~24064914.exe	94
PID 4768 wrote to memory of 4440	4768	~24064914.exe	94

C:\Users\Admin\AppData\Local\Temp\f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f616d768627040f1f98660860f0bfcb8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:400
- C:\Users\Admin\AppData\Local\Temp\vodplay2.exe
  "C:\Users\Admin\AppData\Local\Temp\vodplay2.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\~24064914.exe
    C:\Users\Admin\AppData\Local\Temp\~24064914.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vodplay2.exe

Filesize
29KB

MD5
8aa39d39b3e3a44cb616ae53b62c02c9

SHA1
b6796258b3024da771ad5feb6c8dc2229fccd8a7

SHA256
e2eaeb50d3447411204a8e1225224529526fd900e71ab7464c440163e576350a

SHA512
9a3e9c6c5b293647ffa88d15fcf3f83a9c956f0826b02e564d33b80f6fc2e3f7996fa1d90151439af185f97f42fd4e406fae3581bb623a8f9a605cbc57fbebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~24064914.exe

Filesize
8KB

MD5
77e3d7afb15eaef224a930933aa136af

SHA1
b59e951c810ed82c32aafe765c0091984f0ee3c6

SHA256
841852d043cc9ca45481bd47dda44aabb066ef3e518cb6202ad4a791ecd16194

SHA512
169f7c4a8bee455fc3505793bdea1ab67e76c264e8055b90234e5ba1cfb631724fea862f942782d11002ea59ac99206a1e55d4162117d91a4623cf92f5f61ccf

Download Submit
memory/400-60-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/400-17-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/400-23-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/400-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/400-32-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1156-22-0x0000000000400000-0x000000000048536D-memory.dmp

Filesize
532KB

Download
memory/1156-0-0x0000000000400000-0x000000000048536D-memory.dmp

Filesize
532KB

Download
memory/3788-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3788-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3788-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3788-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3788-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3788-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads