2df5d2ee8c221fe741d9d301409be4868e6feb04674189b6253da70bf71f5473

General

Target

e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe
Size

686KB
MD5

e9cc3f895b2e1b9f87ae5d2fe8507b1b
SHA1

9e0b79f9d8c8052830f2d8d7d0212cf1142e977c
SHA256

2df5d2ee8c221fe741d9d301409be4868e6feb04674189b6253da70bf71f5473
SHA512

1214277fba074fc23fceaee8878ace807840f77b659f1a5d931c6cc26fe9338a6b7f904ad7888bb326f1f4d814c297d84bc267b81df7ff73f934a835facc355f
SSDEEP

12288:LDLROYLHp4eCEYLD8Oow/JF3Z4mxxXQW/8i7jzzN5:LoEs8k/JQmXXjzzN5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2572	Server.exe
2680	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe
3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe
File created	C:\Windows\uninstal.BAT	Server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	Server.exe
Token: SeDebugPrivilege	2680	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2572	3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe	28
PID 3016 wrote to memory of 2572	3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe	28
PID 3016 wrote to memory of 2572	3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe	28
PID 3016 wrote to memory of 2572	3016	e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe	28
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30
PID 2572 wrote to memory of 2584	2572	Server.exe	30

C:\Users\Admin\AppData\Local\Temp\e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9cc3f895b2e1b9f87ae5d2fe8507b1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.BAT
    3⤵
    PID:2584

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.BAT

Filesize
160B

MD5
4ced06d1fa433eb596b410ee3582ee51

SHA1
f29a4d41868b304dc6bbcf29ed0cf572f9084f7a

SHA256
3b1fa21cf2a3d31848a6f74603c5cedb3c91fca4e40eec9a541fa6315e952a6d

SHA512
10ec61fdc514bcd7ac2948dd9ef207a67f406428d7e021c9fef1908f6d65fc3534269230040446aae8797fd980fb91b219c19aff1cc73d97683595544cf749dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
746KB

MD5
faf4e1b8f4d1a61585caa88190e27993

SHA1
86c912e710bcf3e1750bd5179ba55c9430fb46e7

SHA256
4c5f2e02d231219d614a58e4df7d96e3d8d06cd9054c0b7ba8b33d8476ec2b5b

SHA512
2287df325422699b27ad3842c3a14b4822de26bb03625f9c8c69df45f2b634c2d40482fc1f5cdf8c1c3e336f665dd455794f5ae6db518980074385a2c615d826

Download Submit
memory/2572-47-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2572-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2680-51-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2680-39-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3016-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3016-18-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3016-17-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3016-16-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3016-15-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3016-14-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3016-13-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3016-12-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3016-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3016-10-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3016-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3016-8-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3016-19-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3016-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3016-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3016-20-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3016-21-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3016-22-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3016-23-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3016-24-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3016-48-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3016-49-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/3016-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads