aa49cfd5573d9f0c9293907d412ad07d63bb1ba989f27667b01a6e498480b304

General

Target

f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe
Size

551KB
MD5

f61d4662a415c9057b633e009eeedff8
SHA1

039999bc4d1951f5125e6e40c08edb8b203b78bd
SHA256

aa49cfd5573d9f0c9293907d412ad07d63bb1ba989f27667b01a6e498480b304
SHA512

9b3e9409317f61854ebf5791c80a396c5bd3a47af51dc0ac157079200f2bc8e4e1160d12e69bb31b47eecbfdade6822ae7f322318f86c783a72817a3cbce82ed
SSDEEP

12288:ts1Q0RGXqkAvRbQxARoOaqObVHQo30ve2vZd4:t0fPpJoOaHyRGsZK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
880	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe
Token: SeDebugPrivilege	880	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
880	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4560	880	Hacker.com.cn.exe	92
PID 880 wrote to memory of 4560	880	Hacker.com.cn.exe	92
PID 2380 wrote to memory of 4052	2380	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe	95
PID 2380 wrote to memory of 4052	2380	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe	95
PID 2380 wrote to memory of 4052	2380	f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f61d4662a415c9057b633e009eeedff8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4052

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:880
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
551KB

MD5
f61d4662a415c9057b633e009eeedff8

SHA1
039999bc4d1951f5125e6e40c08edb8b203b78bd

SHA256
aa49cfd5573d9f0c9293907d412ad07d63bb1ba989f27667b01a6e498480b304

SHA512
9b3e9409317f61854ebf5791c80a396c5bd3a47af51dc0ac157079200f2bc8e4e1160d12e69bb31b47eecbfdade6822ae7f322318f86c783a72817a3cbce82ed

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
dbf6a68e8f91531f359981c182e27ac3

SHA1
a3b8c16e061599e33428239e6ba69eb5ff82ba1d

SHA256
bdea8526c4e1aedcdc80b9795002167610784445b6e249fe32c410cda33900e2

SHA512
39b7cd587165ef9a9821eefcb1dc71d934174e7b899d17d1a5f248abfabf21e18a22c054e5b6dd58004c03122d4d3ac45905b530b78076921d0c110e2e687068

Download Submit
memory/880-34-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/880-33-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/880-21-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/880-22-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/880-23-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/880-24-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/880-25-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/880-26-0x0000000000AF0000-0x0000000000B3B000-memory.dmp

Filesize
300KB

Download
memory/880-27-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/2380-12-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2380-10-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x0000000002A40000-0x0000000002A43000-memory.dmp

Filesize
12KB

Download
memory/2380-9-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2380-6-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2380-13-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2380-14-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2380-15-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2380-31-0x0000000000B10000-0x0000000000B5B000-memory.dmp

Filesize
300KB

Download
memory/2380-16-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2380-30-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2380-11-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000B10000-0x0000000000B5B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing