db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4

Analysis

max time kernel
127s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Size

675KB
MD5

f83dd736ae802ad5736565e0ecf75c04
SHA1

71ffb2cc6ecd75e14c1c453e252f4def07015a78
SHA256

db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4
SHA512

dfad3feb8cb5e049ca887809d9db4e2a72693c450005085f0ef8e732d15dd4cff5371c5da74d4eb08cbfad97211fd81de89676603a47d5304e97eb327dea19cb
SSDEEP

12288:a/oP0Uvh+8be/pbNHzO7G6UsWF3Z4mxxlxPCjcngNPI:a/ovvMCeRbNTOq66QmXiNPI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\ToolboxBitmap32\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\0\win32\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\0\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\FLAGS\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\HELPDIR\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Version	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Version\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\MiscStatus	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\0	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\TypeLib\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\InprocServer32	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Programmable	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\0\win32	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\0\win32\ = "%CommonProgramFiles%\\System\\ado\\msado27.tlb"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\FLAGS	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\HELPDIR	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Implemented Categories	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Implemented Categories\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\MiscStatus\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\MiscStatus\ = "0"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX, 2"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\ = "Microsoft ActiveX Data Objects 2.7 Library"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Version\ = "2.0"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\ = "Jeneqe Adebeqif Object"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\Programmable\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\ToolboxBitmap32	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\FLAGS\ = "0"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7\HELPDIR\ = "%SystemRoot%\\HELP"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\TypeLib	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\TypeLib\ = "{9068857D-1EDC-16AC-4618-DE7B25C7A973}"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64934348-332C-4731-7D9A-0F8CE2AB347F}\InprocServer32\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9068857D-1EDC-16AC-4618-DE7B25C7A973}\2.7	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Token: SeDebugPrivilege	1916	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2520	1916	Hacker.com.cn.exe	29
PID 1916 wrote to memory of 2520	1916	Hacker.com.cn.exe	29
PID 1916 wrote to memory of 2520	1916	Hacker.com.cn.exe	29
PID 1916 wrote to memory of 2520	1916	Hacker.com.cn.exe	29
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2420	2020	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2420

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
675KB

MD5
f83dd736ae802ad5736565e0ecf75c04

SHA1
71ffb2cc6ecd75e14c1c453e252f4def07015a78

SHA256
db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4

SHA512
dfad3feb8cb5e049ca887809d9db4e2a72693c450005085f0ef8e732d15dd4cff5371c5da74d4eb08cbfad97211fd81de89676603a47d5304e97eb327dea19cb

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
640a02561f1000d83a69dedcb07b8bf1

SHA1
6e6af232278a7b956becada10e051d36679517a4

SHA256
a7b439f0e92b03882d8acb90c17de6ce4f91840d8cb5865d0bd28e946da1536d

SHA512
63bfd6752d1c870ade8193e9f8e9e1c971961aca74f90a846f71b6e8ecf6010b89cba7be37032bf5fdad02650028d2a3e59d6fae98382551a78d1a198a7fef2b

Download Submit
memory/1916-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1916-43-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1916-44-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/1916-32-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1916-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1916-28-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/1916-29-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/1916-26-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1916-27-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1916-25-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1916-24-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/1916-23-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2020-12-0x0000000003270000-0x0000000003274000-memory.dmp

Filesize
16KB

Download
memory/2020-0-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2020-16-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/2020-17-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2020-18-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2020-19-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2020-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2020-13-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2020-2-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2020-3-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2020-4-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2020-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2020-5-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2020-8-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2020-9-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2020-40-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2020-41-0x0000000001D60000-0x0000000001DB4000-memory.dmp

Filesize
336KB

Download
memory/2020-10-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000001D60000-0x0000000001DB4000-memory.dmp

Filesize
336KB

Download