Analysis
-
max time kernel
142s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
-
Size
747KB
-
MD5
05836305fde247e02b18d9be1e318d6a
-
SHA1
63dbe04619e978480b36cc3721bcd41baa882d49
-
SHA256
19008f4e0a25e22bbf28d81bb34ef0081c27d319280bd7876af80c9c1a679368
-
SHA512
4c152c33ec2a6cadae2a415f67fd2942f3fcd419f32f0ee812fe0226308cecdf3c3a6cb550a542170a3d312ade7178d5e81fd1a8debc1bbf3d986e269270df36
-
SSDEEP
12288:7RyTSklU4g/n/t0EW5A0zyYvJwQ5oAlK+IRbvHbIk6bQQ52LvRg08y5HR6Z6:1SlU4gf2EW5A2DJr/khbv7Ik6S3i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4908 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe File created C:\Windows\uninstal.bat 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2516 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe Token: SeDebugPrivilege 4908 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4908 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4908 wrote to memory of 512 4908 Hacker.com.cn.exe 85 PID 4908 wrote to memory of 512 4908 Hacker.com.cn.exe 85 PID 2516 wrote to memory of 3116 2516 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe 86 PID 2516 wrote to memory of 3116 2516 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe 86 PID 2516 wrote to memory of 3116 2516 05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:3116
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:512
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747KB
MD505836305fde247e02b18d9be1e318d6a
SHA163dbe04619e978480b36cc3721bcd41baa882d49
SHA25619008f4e0a25e22bbf28d81bb34ef0081c27d319280bd7876af80c9c1a679368
SHA5124c152c33ec2a6cadae2a415f67fd2942f3fcd419f32f0ee812fe0226308cecdf3c3a6cb550a542170a3d312ade7178d5e81fd1a8debc1bbf3d986e269270df36
-
Filesize
218B
MD547f91e83fc7e301bdca33d781ded94e1
SHA1af88f5af927da5deef192fbe742b3d516a156a64
SHA256241b2795b5e4b7488688dd790dea4624a17742a9c120f6a60c8db9763541c4b3
SHA5124f6c47ebf10d7b2ba7e3507cac7ef3c1266013cf3dbe3db1f6ef050786844953c95aa33f7952f781e4fd0e1dd02056992a7494d4856daee64e815d1f7e83ddff