359dcbe6360ff33d39f9218bd9e6f1023c2c6ef34c557abb386d95c5056b08b4

General

Target

JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe
Size

1.1MB
MD5

2a3291a66aa6e728f703550f7adf9ad6
SHA1

181172448f83538584589f2d9574c6d0b9a6acf5
SHA256

359dcbe6360ff33d39f9218bd9e6f1023c2c6ef34c557abb386d95c5056b08b4
SHA512

22294180e6834425aa0abad3d7ba6357ad827edd0f0b1558b41b5a6094a4872db9231c39bad6e89658011c251a7edeb2fa817894f9210f56c74afc25b426e04d
SSDEEP

24576:Y5rSlaS4P/HPBUQwkgOJoshXfdjwqnftr+4d4Ds:YR3PBDwkpJZJ9Ws

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}	Regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~1\QVOD41\QvodEx.dll	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\idiverser.dat	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.my115.net"	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodEx.QvodExtend	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodEx.QvodExtend\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodEx.QvodExtend\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodEx.QvodExtend\Clsid\ = "{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\ProgID\ = "QvodEx.QvodExtend"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\InprocServer32\ = "C:\\PROGRA~1\\QVOD41\\QvodEx.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60}\ProgID	Regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1708	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	30
PID 2360 wrote to memory of 1264	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	31
PID 2360 wrote to memory of 1264	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	31
PID 2360 wrote to memory of 1264	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	31
PID 2360 wrote to memory of 1264	2360	JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a3291a66aa6e728f703550f7adf9ad6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\PROGRA~1\QVOD41\QvodEx.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\QVOD41\QvodEx.dll

Filesize
572KB

MD5
24de46e8e82fa835bffb7e220c745375

SHA1
cba4995d474fbc30425714b1e6e78c94d9778117

SHA256
f4b6d93fe28c846f307f1b2ab735c5db50cbda3d226369f6bd11edbe141668e9

SHA512
1120c1bec421a17cd81c1b1531b50d6984debe07ba5f8602acb5a3e7d56383274e06b87563b46aaf79e55955b83f0a53b4d1d67e99bda7091ac800f945510a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

Filesize
151B

MD5
3592194d91a762302c6d9da1fa1c76c5

SHA1
bbd57ecfc5265358118aedf07810c8de06e38c4f

SHA256
65326a57224c0283c59b576ce0663b54c18f8a36cb977db1a1749176a46fd78d

SHA512
501ce0925a479ad973779e15bd17601b64773463ec4a765eda2b405fd80e103f74e24658809ff7d3deed49d9701087c3110377a0c4253734f0bac913798d31d1

Download Submit
memory/1708-4-0x00000000005F0000-0x0000000000684000-memory.dmp

Filesize
592KB

Download
memory/2360-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2360-14-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads