add09e7a3ed5ae1437eb09317695282b6145569c8d963b8aa16724f91aa94935

General

Target

fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe
Size

752KB
MD5

fe3d4c25fed10022f092e702bf7981cd
SHA1

48ea8553923cdca76fd296b01f08d54bd8eb48c1
SHA256

add09e7a3ed5ae1437eb09317695282b6145569c8d963b8aa16724f91aa94935
SHA512

87c7e99dd4825eb29c9ca900021b26e94b4fd874ae2823ef7d98065e124b3e1badc4a8c92f239bf81fc53209a7a354e07b8f7a7642e2346a31180705f55637c7
SSDEEP

12288:nsaY8r7BQx+owcax72+eg+Ib5c06d8R2FmTlcyyitCqUeQoZLbeSQ+O8xAM1:B/rudZdCqdnFi5CSNFOkt1

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XueTr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\XueTr.sys"	XueTr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yzevktxi\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\yzevktxi.sys"	XueTr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vozsfuvwc\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\vozsfuvwc.sys"	XueTr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jdmpbnbjp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\jdmpbnbjp.sys"	XueTr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bvbbire\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\bvbbire.sys"	XueTr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4428	XueTr.exe
4940	Âí.exe
1868	Âí.exe

Impair Defenses: Safe Mode Boot 1 TTPs 10 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\jdmpbnbjp.sys	XueTr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\BVBBIRE.SYS	XueTr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VOZSFUVWC.SYS	XueTr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\JDMPBNBJP.SYS	XueTr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\bvbbire.sys	XueTr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\XueTr.sys	XueTr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\XUETR.SYS	XueTr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\yzevktxi.sys	XueTr.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\YZEVKTXI.SYS	XueTr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vozsfuvwc.sys	XueTr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 1868	4940	Âí.exe	91

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4496-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4496-112-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4368	1868	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XueTr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Âí.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe
4428	XueTr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	XueTr.exe
Token: SeLoadDriverPrivilege	4428	XueTr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4428	XueTr.exe
4428	XueTr.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4428	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	89
PID 4496 wrote to memory of 4428	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	89
PID 4496 wrote to memory of 4428	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	89
PID 4496 wrote to memory of 4940	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	90
PID 4496 wrote to memory of 4940	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	90
PID 4496 wrote to memory of 4940	4496	fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe	90
PID 4940 wrote to memory of 1868	4940	Âí.exe	91
PID 4940 wrote to memory of 1868	4940	Âí.exe	91
PID 4940 wrote to memory of 1868	4940	Âí.exe	91
PID 4940 wrote to memory of 1868	4940	Âí.exe	91
PID 4940 wrote to memory of 1868	4940	Âí.exe	91

C:\Users\Admin\AppData\Local\Temp\fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe3d4c25fed10022f092e702bf7981cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\Temp\XueTr.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\XueTr.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\Temp\Âí.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Âí.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\Temp\Âí.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\Âí.exe
    3⤵
    - Executes dropped EXE
    PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 80
      4⤵
      Program crash
      PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1868 -ip 1868
1⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Safe Mode Boot

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\XueTr.exe

Filesize
1.4MB

MD5
5fd5b4eb5947806067f5f5aed2df59c6

SHA1
fa738087840042001841f3ca2fb22f091a8bb7a8

SHA256
edd274931524a609a0e9649d1a46061f3c345434f4ba8d09dd4f7f2f4a76f16e

SHA512
ab96b6df9475b8a95df22e70055b9f7082bb8b05032ad20cf2b30519837d023b40632b16f25f88dccca3471e78eb018ffb05c69b3aa2f47f43f8f83ab4f58f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\yzevktxi.sys

Filesize
335KB

MD5
0596f788a66f6855362ff70aa604f1b1

SHA1
75121a1e4e50235209368deedb0f6ec817999960

SHA256
96d1dea3727f2b7ac19d01eb97960131e76e49fa1f19c711d70abb9e7cc96320

SHA512
af02e997f3003b045ac0ad31b2e07ba00792f8126e6420093a9340856dc5687ecc45c40bdf686ff4cdaa00910b2adc7f702fa9a802d4fd9b65fbeb43b70d8c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\yzevktxi.sys

Filesize
335KB

MD5
da266e67f099fff7970e39ade3c55ee7

SHA1
be4144b151db63500c092868f2a3e0231f30fcff

SHA256
6c0993f15e10595090d951f86bdf7feae2a57e23f88c9891ca49eaed7933e61b

SHA512
d08dd5c60b189c8007116b0dd974e0ff2886c6ed1f1a8fdbffe7eb56af38770059d899b7fb188a1b25a9a8e01c788933660af696a1381e9c803de9fbd0ef36cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Âí.exe

Filesize
5.8MB

MD5
0f34ce52d094ceeeda1af7a194c072e7

SHA1
3eca76cf2d64eb6318f499f1bf31d390912936ca

SHA256
12b427262258031c66ce7a4a5f2260f281e5fa45c5bb6b6b9e31fd86e42f4d87

SHA512
554d29a8dc55606bab7e1c17448e687aa822e3250d0fa9cad197872057c0eaefeeeb57c10c3f769a281a0e12122e064b6108400e8d82337494935b150221d5b5

Download Submit
memory/1868-124-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1868-127-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/4428-19-0x0000000075FAF000-0x0000000075FB0000-memory.dmp

Filesize
4KB

Download
memory/4428-17-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4428-130-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4496-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4496-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4940-129-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/4940-102-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads