0e58d5d2d86f0f81ed2edf437cf8a4b0625dbcbb40c8e93105e0052b06a6d642

General

Target

2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe
Size

3.6MB
MD5

2ceaa5d98ae9ad461d09b8f8c945f984
SHA1

60e8e61a99b860210f14fde97db7ae3c98bd01f4
SHA256

0e58d5d2d86f0f81ed2edf437cf8a4b0625dbcbb40c8e93105e0052b06a6d642
SHA512

572c1b9061b2c387695ed0c32f4e62dac95ce1588cf02fa17ae07538f199ea1e2d19d6ba3dde66d08d6dbd61fa4afdbc77b502c7ab6a2c34610e623a481c405f
SSDEEP

98304:EO7RKr7Gyi8yiNyi8y4y6RKr7Gyi8yifydfy4RKr7Gyi8yify1yifydfy4RKr7Gf:EJPGyi8yiNyi8y4y/PGyi8yifydfy5Px

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fkehm.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\fkehm.sys"	qpkmws.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	qpkmws.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe
2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/files/0x0007000000012117-5.dat	upx
behavioral1/memory/2380-12-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/2248-35-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpkmws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	qpkmws.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2248	qpkmws.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	qpkmws.exe
Token: SeLoadDriverPrivilege	2248	qpkmws.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	qpkmws.exe
2248	qpkmws.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2248	2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2248	2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2248	2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2248	2380	2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2872	2248	qpkmws.exe	33
PID 2248 wrote to memory of 2872	2248	qpkmws.exe	33
PID 2248 wrote to memory of 2872	2248	qpkmws.exe	33
PID 2248 wrote to memory of 2872	2248	qpkmws.exe	33

C:\Users\Admin\AppData\Local\Temp\2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ceaa5d98ae9ad461d09b8f8c945f984_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\qpkmws.exe
  C:\Users\Admin\AppData\Local\Temp\qpkmws.exe -run
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\qpkmws.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qpkmws.bat

Filesize
139B

MD5
c9335e8146938002c9090828f3308cf6

SHA1
c071d4d9de56f222137c317aa6dcd6eb52d34752

SHA256
9b229e7f71b8e2c0eda72a94092bc4b245ff524799faaed90e6469ab44f8defd

SHA512
31209a2c34f917f884010b74b9f4c64d98744fea8e985f1e914d7e76ab703c80beb9cd6ec9883d4512beb12cb437ad4e428d7d862ec46505579e9cd1e37d53ff

Download Submit
\Users\Admin\AppData\Local\Temp\qpkmws.exe

Filesize
4.4MB

MD5
a05dbcb1d2f668b2b8e5b2a683a9369e

SHA1
f37b642accf50f557cc240237cc1ecc8fecd9272

SHA256
c7054c8ea78f63d32a4761ac12f8a438317e4dd017e428d84dbb46417bb3b3f3

SHA512
b78cb7e0b0ba499236fc95f99be40dc6c36f94dbf6d0ba177fe2db658b8feb6c738673096e19c17cff5e2ce6a0870c2e3da91275860d91944f4beb05a80a0b12

Download Submit
memory/2248-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2248-35-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2380-0-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2380-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2380-12-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2380-10-0x0000000002040000-0x00000000020F9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads