c92d52915adc6b3a4502451466830c465e0777e38919eee71eb01e15c882f151

General

Target

f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe
Size

633KB
MD5

f2b00b844b03ba7fd666c9ac67082c7a
SHA1

0753b50e4eb048e0f07759d0e43cc8d9f9336790
SHA256

c92d52915adc6b3a4502451466830c465e0777e38919eee71eb01e15c882f151
SHA512

1fe5a359c96e1e0d2c7022f2fda25ed824646be09463e26dd58b4f2e064648fe2c70c44295b223cd80012ac76b278d3ec1979c6d46dbf8e03c4ffe891ffe10a8
SSDEEP

12288:eS7kG3qDgB1r2KEVb3uJ+O0F3Z4mxx2DqVTVOCzQl:p7klw1rW+JN0QmXVVTzzQl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4744	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe
Token: SeDebugPrivilege	4744	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4744	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 216	4304	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe	95
PID 4304 wrote to memory of 216	4304	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe	95
PID 4304 wrote to memory of 216	4304	f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2b00b844b03ba7fd666c9ac67082c7a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:216

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
633KB

MD5
f2b00b844b03ba7fd666c9ac67082c7a

SHA1
0753b50e4eb048e0f07759d0e43cc8d9f9336790

SHA256
c92d52915adc6b3a4502451466830c465e0777e38919eee71eb01e15c882f151

SHA512
1fe5a359c96e1e0d2c7022f2fda25ed824646be09463e26dd58b4f2e064648fe2c70c44295b223cd80012ac76b278d3ec1979c6d46dbf8e03c4ffe891ffe10a8

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
0b95d32c9fb967e5272b5655546cd223

SHA1
2e3b12a355fc9f256e502139f088571f9c80220f

SHA256
a0699c5e131d704669f5e16d44dfd1a86309bf7abe990f328fb599e1bcc9d14a

SHA512
8593ba3d9d351546eebc97a41fd45377fbcd3b7847bbe20942132cebfd1f5f6ec15eaa40647b8b998a37248007e36cbf7373206d0f0f5581f5fa1a87b076c8f1

Download Submit
memory/4304-18-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4304-21-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4304-4-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4304-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4304-7-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4304-8-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4304-6-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4304-9-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4304-20-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4304-11-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/4304-12-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4304-15-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4304-16-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4304-17-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4304-3-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4304-0-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4304-10-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4304-19-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4304-1-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/4304-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4304-35-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/4304-34-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4744-28-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4744-27-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4744-29-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4744-30-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/4744-31-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4744-26-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4744-25-0x0000000000910000-0x0000000000964000-memory.dmp

Filesize
336KB

Download
memory/4744-24-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4744-37-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4744-38-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing