e02121138494c3d9dd2fd562645cc3ac1eafa1f28c8fe8e7f2c072f80734e5ad

General

Target

00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
Size

2.3MB
MD5

00b90a228239015a6ae5e91f645300af
SHA1

0b94ebb85712d03a5b4f545833a055420a23e321
SHA256

e02121138494c3d9dd2fd562645cc3ac1eafa1f28c8fe8e7f2c072f80734e5ad
SHA512

9fd2054d4341d703a66d93d6aa58de0a2f2113e6dcea0eccb5082d5a6b36e22a4cc96df8df0921b744fec12e5a3651f00ecce53826c9a9ba2fb2fcd5daa5e54e
SSDEEP

49152:fDfK+gW5pdhoi11+qkPmMbi+Ncu87dlzhDhgMMMZMMMACh43Dp/wPHv:fDfz33dhR11Rkg7NeMMMZMMMACh431/G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1680	KartRider.exe
2292	Server_Setup.exe
2832	Hacker.com.cn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\KartRider.exe	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
File opened for modification	C:\Windows\KartRider.exe	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
File created	C:\Windows\Server_Setup.exe	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
File opened for modification	C:\Windows\Server_Setup.exe	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	Server_Setup.exe
Token: SeDebugPrivilege	2832	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1680	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1680	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1680	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1680	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2292	2220	00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2936	2832	Hacker.com.cn.exe	31
PID 2832 wrote to memory of 2936	2832	Hacker.com.cn.exe	31
PID 2832 wrote to memory of 2936	2832	Hacker.com.cn.exe	31
PID 2832 wrote to memory of 2936	2832	Hacker.com.cn.exe	31

C:\Users\Admin\AppData\Local\Temp\00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00b90a228239015a6ae5e91f645300af_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\KartRider.exe
  "C:\Windows\KartRider.exe"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Server_Setup.exe
  "C:\Windows\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2292

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\KartRider.exe

Filesize
1.6MB

MD5
231d94d7d3b781f974846d2d8809ce55

SHA1
c90e9ddf6e08d0804161783275fe2a70b2b3cba8

SHA256
68e9814ff7e3095eb6efe0449005baeedd98feedf94fd95a1a54a33cb28983ac

SHA512
e97b2f68cdcded9edddbf4384ee878fca14edc753bfe7f35f7a0ec145351a010a565e958e74f303b64b4eabd290c56e6e7c389181a56acc8b2844218553a9c2b

Download Submit
C:\Windows\Server_Setup.exe

Filesize
743KB

MD5
6860e48870281c5773da51c8639eb85b

SHA1
5a461e8a1960f26794c0e770805dda188e3526bc

SHA256
eb87882a1d7cd501c13d19be7b28be404461cdc6ba7aaee8e37cf590b5ca6232

SHA512
60836ea884b0e2be2567ed425038407c27dcaf082d3e722abcd7489661fbadd756be9cb36e58cab6bbccfe61a92c576d5cb611fb2f21787d8a3aeb36223f36c3

Download Submit
memory/1680-19-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/2220-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2292-18-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2832-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2832-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2832-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing