5479e9b06ea8773617411f286263356970795cfd6473e2acbf9f1f60367cca57

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
Size

631KB
MD5

064785a185279296229b5c4ac0c789ef
SHA1

137e2609d96ce80c074ac77114b11fdd24abc850
SHA256

5479e9b06ea8773617411f286263356970795cfd6473e2acbf9f1f60367cca57
SHA512

05f60d711f99c958bb4c904be8cb7080ad5f572d335ee4e9ad01e8cddde2d010b04177f3f2787250141796e20aedad16dd5a3fbba01a0d80b0de6578eeff7aa9
SSDEEP

12288:AzbV3qR4M+1Aq5vNd8Tcr2WEzSZh7rEF3Z4mxxlRDGdAp4feSAAoO6A3uMd:AzbRq1/q5v78owzSZh7rEQmXnDu2SpoE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3908	Hacker.com.cn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
Token: SeDebugPrivilege	3908	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe
3908	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3736	3908	Hacker.com.cn.exe	82
PID 3908 wrote to memory of 3736	3908	Hacker.com.cn.exe	82

C:\Users\Admin\AppData\Local\Temp\064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
631KB

MD5
064785a185279296229b5c4ac0c789ef

SHA1
137e2609d96ce80c074ac77114b11fdd24abc850

SHA256
5479e9b06ea8773617411f286263356970795cfd6473e2acbf9f1f60367cca57

SHA512
05f60d711f99c958bb4c904be8cb7080ad5f572d335ee4e9ad01e8cddde2d010b04177f3f2787250141796e20aedad16dd5a3fbba01a0d80b0de6578eeff7aa9

Download Submit
memory/1860-16-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-15-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-35-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1860-34-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1860-33-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/1860-32-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1860-31-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-30-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-29-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-28-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-27-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-26-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-25-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-24-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-23-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-22-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1860-21-0x0000000003380000-0x0000000003383000-memory.dmp

Filesize
12KB

Download
memory/1860-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1860-19-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1860-18-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1860-36-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-17-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1860-20-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1860-14-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-13-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-12-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1860-11-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/1860-10-0x0000000003380000-0x0000000003480000-memory.dmp

Filesize
1024KB

Download
memory/1860-9-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1860-8-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1860-7-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1860-6-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1860-5-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1860-4-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1860-3-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1860-2-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download
memory/1860-37-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1860-42-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1860-43-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download
memory/3908-44-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3908-45-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3908-49-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download