8dd4b8fd752fa98e88b769075f53feb82a9de4f52c34fc0004e7ff106fc19104

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe
Size

710KB
MD5

fd6629d866521178018e9b48fdc360d8
SHA1

555241dea2c2229487c43ed73bf7e2d8ece6bc46
SHA256

8dd4b8fd752fa98e88b769075f53feb82a9de4f52c34fc0004e7ff106fc19104
SHA512

85c455f755e94b807423e90d50f60d2c0973a6078a36c19961146d9292bd37aa5613c22e60012d5665e2df3bdf8c6b209f08a8472a334a8fcd69a11f5cb8b1ff
SSDEEP

12288:8LKNuXbvY4S4cTDyC+MG0Owcnml0KoonWixh3ZF3Z4mxxSnZ06aubDoAD75n+:4AurvSnTD0HwceDnWirZQmXSZVaubDoj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4176	SERVER~1.EXE
2460	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	SERVER~1.EXE
Token: SeDebugPrivilege	2460	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2460	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4176	4852	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	84
PID 4852 wrote to memory of 4176	4852	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	84
PID 4852 wrote to memory of 4176	4852	fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe	84
PID 4176 wrote to memory of 3620	4176	SERVER~1.EXE	90
PID 4176 wrote to memory of 3620	4176	SERVER~1.EXE	90
PID 4176 wrote to memory of 3620	4176	SERVER~1.EXE	90
PID 2460 wrote to memory of 1096	2460	Hacker.com.cn.exe	89
PID 2460 wrote to memory of 1096	2460	Hacker.com.cn.exe	89

C:\Users\Admin\AppData\Local\Temp\fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd6629d866521178018e9b48fdc360d8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3620

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
341KB

MD5
38f8f6fe13566b6a5cdd76d7ba1af712

SHA1
b7484602b26ceba5925e88fea24bc44164f055d1

SHA256
55c7250cdbd7b723154a97ff4b8839d5545950c665c6add7120d77b967b39faf

SHA512
ec5b6ca6c91587a38e2934a88367dd3a54fa3fc2ef03db6bcdf474e09fbca1aa79a6f24e3eefbcc79537d28778b880fb5af13ee270bf83b15be944da0ce32157

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
memory/2460-49-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2460-44-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4176-45-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4176-37-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4852-24-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4852-26-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4852-8-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4852-11-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4852-12-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4852-15-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4852-14-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/4852-13-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4852-16-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4852-17-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4852-19-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4852-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4852-22-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4852-21-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4852-0-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/4852-25-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4852-27-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4852-7-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4852-28-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4852-29-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4852-31-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4852-30-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4852-32-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4852-33-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4852-34-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4852-35-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4852-36-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/4852-6-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4852-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4852-3-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4852-46-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/4852-2-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/4852-48-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/4852-1-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads