8dd4b8fd752fa98e88b769075f53feb82a9de4f52c34fc0004e7ff106fc19104

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe
Size

710KB
MD5

fd6629d866521178018e9b48fdc360d8
SHA1

555241dea2c2229487c43ed73bf7e2d8ece6bc46
SHA256

8dd4b8fd752fa98e88b769075f53feb82a9de4f52c34fc0004e7ff106fc19104
SHA512

85c455f755e94b807423e90d50f60d2c0973a6078a36c19961146d9292bd37aa5613c22e60012d5665e2df3bdf8c6b209f08a8472a334a8fcd69a11f5cb8b1ff
SSDEEP

12288:8LKNuXbvY4S4cTDyC+MG0Owcnml0KoonWixh3ZF3Z4mxxSnZ06aubDoAD75n+:4AurvSnTD0HwceDnWirZQmXSZVaubDoj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2568	SERVER~1.EXE
2496	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe
1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	SERVER~1.EXE
File created	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	SERVER~1.EXE
Token: SeDebugPrivilege	2496	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2568	1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2568	1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2568	1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2568	1808	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	28
PID 2496 wrote to memory of 2640	2496	Hacker.com.cn.exe	30
PID 2496 wrote to memory of 2640	2496	Hacker.com.cn.exe	30
PID 2496 wrote to memory of 2640	2496	Hacker.com.cn.exe	30
PID 2496 wrote to memory of 2640	2496	Hacker.com.cn.exe	30
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31
PID 2568 wrote to memory of 2400	2568	SERVER~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2400

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
341KB

MD5
38f8f6fe13566b6a5cdd76d7ba1af712

SHA1
b7484602b26ceba5925e88fea24bc44164f055d1

SHA256
55c7250cdbd7b723154a97ff4b8839d5545950c665c6add7120d77b967b39faf

SHA512
ec5b6ca6c91587a38e2934a88367dd3a54fa3fc2ef03db6bcdf474e09fbca1aa79a6f24e3eefbcc79537d28778b880fb5af13ee270bf83b15be944da0ce32157

Download Submit
memory/1808-9-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1808-11-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/1808-28-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1808-27-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1808-26-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1808-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1808-24-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1808-23-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1808-22-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1808-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1808-20-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1808-17-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1808-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1808-15-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1808-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1808-12-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1808-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1808-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-13-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1808-0-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/1808-4-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1808-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1808-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1808-7-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1808-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1808-33-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1808-32-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1808-31-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1808-30-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1808-29-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1808-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1808-57-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/1808-56-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/1808-1-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/2496-47-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2496-59-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2496-61-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2568-55-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2568-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads