19008f4e0a25e22bbf28d81bb34ef0081c27d319280bd7876af80c9c1a679368

Analysis

max time kernel
142s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 11:19

Target

05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
Size

747KB
MD5

05836305fde247e02b18d9be1e318d6a
SHA1

63dbe04619e978480b36cc3721bcd41baa882d49
SHA256

19008f4e0a25e22bbf28d81bb34ef0081c27d319280bd7876af80c9c1a679368
SHA512

4c152c33ec2a6cadae2a415f67fd2942f3fcd419f32f0ee812fe0226308cecdf3c3a6cb550a542170a3d312ade7178d5e81fd1a8debc1bbf3d986e269270df36
SSDEEP

12288:7RyTSklU4g/n/t0EW5A0zyYvJwQ5oAlK+IRbvHbIk6bQQ52LvRg08y5HR6Z6:1SlU4gf2EW5A2DJr/khbv7Ik6S3i

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4908	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
Token: SeDebugPrivilege	4908	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4908	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 512	4908	Hacker.com.cn.exe	85
PID 4908 wrote to memory of 512	4908	Hacker.com.cn.exe	85
PID 2516 wrote to memory of 3116	2516	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe	86
PID 2516 wrote to memory of 3116	2516	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe	86
PID 2516 wrote to memory of 3116	2516	05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05836305fde247e02b18d9be1e318d6a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3116

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:512

C:\Windows\Hacker.com.cn.exe

Filesize
747KB

MD5
05836305fde247e02b18d9be1e318d6a

SHA1
63dbe04619e978480b36cc3721bcd41baa882d49

SHA256
19008f4e0a25e22bbf28d81bb34ef0081c27d319280bd7876af80c9c1a679368

SHA512
4c152c33ec2a6cadae2a415f67fd2942f3fcd419f32f0ee812fe0226308cecdf3c3a6cb550a542170a3d312ade7178d5e81fd1a8debc1bbf3d986e269270df36

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
47f91e83fc7e301bdca33d781ded94e1

SHA1
af88f5af927da5deef192fbe742b3d516a156a64

SHA256
241b2795b5e4b7488688dd790dea4624a17742a9c120f6a60c8db9763541c4b3

SHA512
4f6c47ebf10d7b2ba7e3507cac7ef3c1266013cf3dbe3db1f6ef050786844953c95aa33f7952f781e4fd0e1dd02056992a7494d4856daee64e815d1f7e83ddff

Download Submit
memory/2516-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2516-1-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2516-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4908-6-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4908-7-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4908-12-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4908-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download