chinese_generic_botnet | 15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd

General

Target

7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
Size

3.7MB
MD5

7095a724461739b15822fd0dd49b327f
SHA1

3d98b504b552c0b86912aaaec3cb9658f8b9260e
SHA256

15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd
SHA512

1753efee3a36f8aeb6fec810433e7f07feef30774b9ba65d6c3487862f88f64fc006e12a166a306f1be1974fb1e50129587897d63b919e700c9dbf8abd1a2272
SSDEEP

98304:g+ESKW5B12R2kdVLOOFzAg8vQ6ygfk537ZP:glSh12ftMgR/R7ZP

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 3 IoCs

botnet

Processes:

resource	yara_rule
behavioral2/memory/4692-26152-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet
behavioral2/memory/4692-26155-0x0000000000400000-0x000000000057C000-memory.dmp	unk_chinese_botnet
behavioral2/memory/1500-26160-0x0000000000400000-0x000000000057C000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

Processes:

QMDesktopAnimation.exelsass.exelsass.exe

pid process

1196 QMDesktopAnimation.exe
4692 lsass.exe
1500 lsass.exe
Loads dropped DLL 1 IoCs

Processes:

QMDesktopAnimation.exe

pid process

1196 QMDesktopAnimation.exe

pid	process
1196	QMDesktopAnimation.exe
4692	lsass.exe
1500	lsass.exe

pid	process
1196	QMDesktopAnimation.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

QMDesktopAnimation.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360°²È«·þÎñ = "C:\\Users\\QMDesktopAnimation.exe"	QMDesktopAnimation.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs

Processes:

7095a724461739b15822fd0dd49b327f_JaffaCakes118.exelsass.exelsass.exe

pid	process
2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
4692	lsass.exe
4692	lsass.exe
1500	lsass.exe
1500	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe
4692	lsass.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe

pid process

2892 7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
2892 7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

7095a724461739b15822fd0dd49b327f_JaffaCakes118.exeQMDesktopAnimation.exelsass.exelsass.exe

pid	process
2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
1196	QMDesktopAnimation.exe
4692	lsass.exe
1500	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7095a724461739b15822fd0dd49b327f_JaffaCakes118.exeQMDesktopAnimation.exe

description	pid	process	target process
PID 2892 wrote to memory of 1196	2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe	QMDesktopAnimation.exe
PID 2892 wrote to memory of 1196	2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe	QMDesktopAnimation.exe
PID 2892 wrote to memory of 1196	2892	7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe	QMDesktopAnimation.exe
PID 1196 wrote to memory of 4692	1196	QMDesktopAnimation.exe	lsass.exe
PID 1196 wrote to memory of 4692	1196	QMDesktopAnimation.exe	lsass.exe
PID 1196 wrote to memory of 4692	1196	QMDesktopAnimation.exe	lsass.exe
PID 1196 wrote to memory of 1500	1196	QMDesktopAnimation.exe	lsass.exe
PID 1196 wrote to memory of 1500	1196	QMDesktopAnimation.exe	lsass.exe
PID 1196 wrote to memory of 1500	1196	QMDesktopAnimation.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7095a724461739b15822fd0dd49b327f_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\QMDesktopAnimation.exe
  C:\Users\QMDesktopAnimation.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4692
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\ExceptCatch.dll

Filesize
2.2MB

MD5
be31e9cbf3aaa02fec9a6dc2fe49b8f1

SHA1
dd554ece008b8d5a9425fa7b5792033e42217484

SHA256
931bd3c45bca3a6766e67870457663ae386c04a4983b57cd10b83c1c5fddd19a

SHA512
9757bee88f27d9e5a860f3a69046e23bbfea39521c09bb59476fcf5e53eea530e04d717ebe1805a0af78c5d8e4cf0d988fe1e94c1e1c5543c89449debe070a0a

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\QMDesktopAnimation.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
memory/1500-16514-0x0000000077250000-0x00000000773F0000-memory.dmp

Filesize
1.6MB

Download
memory/1500-26160-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1500-26156-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1500-18967-0x0000000075C90000-0x0000000075D0A000-memory.dmp

Filesize
488KB

Download
memory/1500-8063-0x00000000756C0000-0x00000000758D5000-memory.dmp

Filesize
2.1MB

Download
memory/2892-3639-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2892-0-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/4692-5898-0x0000000075C90000-0x0000000075D0A000-memory.dmp

Filesize
488KB

Download
memory/4692-3889-0x0000000077250000-0x00000000773F0000-memory.dmp

Filesize
1.6MB

Download
memory/4692-26152-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4692-13-0x00000000756C0000-0x00000000758D5000-memory.dmp

Filesize
2.1MB

Download
memory/4692-26155-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/4692-12-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads