db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4

Analysis

max time kernel
127s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Size

675KB
MD5

f83dd736ae802ad5736565e0ecf75c04
SHA1

71ffb2cc6ecd75e14c1c453e252f4def07015a78
SHA256

db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4
SHA512

dfad3feb8cb5e049ca887809d9db4e2a72693c450005085f0ef8e732d15dd4cff5371c5da74d4eb08cbfad97211fd81de89676603a47d5304e97eb327dea19cb
SSDEEP

12288:a/oP0Uvh+8be/pbNHzO7G6UsWF3Z4mxxlxPCjcngNPI:a/ovvMCeRbNTOq66QmXiNPI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\InprocServer32\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\Version	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\Version\ = "5.4"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\TypeLib\ = "{668F4C7B-F234-3BCC-8670-265894FAEB00}"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\VersionIndependentProgID\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\wlidcli.dll"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win64	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\FLAGS\ = "0"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\TypeLib	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\ProgID	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\ProgID\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\ = "UIProxy 1.0 Type Library"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\VersionIndependentProgID	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\VersionIndependentProgID\ = "Sapi.SpSharedRecognizer"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win32\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wlidcli.dll"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\TypeLib\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win64\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\ProgID\ = "Sapi.SpSharedRecognizer.1"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\win32	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\ = "Ozasoboh Camori"	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\FLAGS\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\Version\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2764845A-6CFC-4B90-C4B0-3016918734AC}\InprocServer32	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\0\	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{668F4C7B-F234-3BCC-8670-265894FAEB00}\1.0\FLAGS	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
Token: SeDebugPrivilege	2364	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2364	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4760	2364	Hacker.com.cn.exe	92
PID 2364 wrote to memory of 4760	2364	Hacker.com.cn.exe	92
PID 4980 wrote to memory of 2960	4980	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	95
PID 4980 wrote to memory of 2960	4980	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	95
PID 4980 wrote to memory of 2960	4980	f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83dd736ae802ad5736565e0ecf75c04_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2960

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
675KB

MD5
f83dd736ae802ad5736565e0ecf75c04

SHA1
71ffb2cc6ecd75e14c1c453e252f4def07015a78

SHA256
db8557e594afb0f837c2f1c97e86706437cb9d068b15636168804a560c2f0df4

SHA512
dfad3feb8cb5e049ca887809d9db4e2a72693c450005085f0ef8e732d15dd4cff5371c5da74d4eb08cbfad97211fd81de89676603a47d5304e97eb327dea19cb

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
640a02561f1000d83a69dedcb07b8bf1

SHA1
6e6af232278a7b956becada10e051d36679517a4

SHA256
a7b439f0e92b03882d8acb90c17de6ce4f91840d8cb5865d0bd28e946da1536d

SHA512
63bfd6752d1c870ade8193e9f8e9e1c971961aca74f90a846f71b6e8ecf6010b89cba7be37032bf5fdad02650028d2a3e59d6fae98382551a78d1a198a7fef2b

Download Submit
memory/2364-31-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2364-38-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2364-39-0x0000000000DE0000-0x0000000000E34000-memory.dmp

Filesize
336KB

Download
memory/2364-32-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2364-30-0x0000000000DE0000-0x0000000000E34000-memory.dmp

Filesize
336KB

Download
memory/2364-29-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2364-28-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2364-26-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2364-27-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2364-25-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2364-24-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4980-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4980-0-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4980-18-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4980-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4980-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4980-21-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4980-14-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4980-13-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/4980-12-0x00000000034D0000-0x00000000034D4000-memory.dmp

Filesize
16KB

Download
memory/4980-11-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4980-10-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4980-17-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4980-8-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4980-7-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4980-5-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4980-6-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4980-35-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4980-36-0x0000000002310000-0x0000000002364000-memory.dmp

Filesize
336KB

Download
memory/4980-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4980-3-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4980-2-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4980-1-0x0000000002310000-0x0000000002364000-memory.dmp

Filesize
336KB

Download