Analysis
-
max time kernel
141s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
-
Size
438KB
-
MD5
067e52f8f51d0ebc3500386943f3891c
-
SHA1
79cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
-
SHA256
43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
-
SHA512
b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856
-
SSDEEP
6144:cBPCuMgwO58zDWoGWT2UUgwB1U5cPAAJUgGqGj+iOMOMEVP1AR/A98gWNlPTGQQt:cTwS8eoGWSb1Lxy2rtAR/zNtTird4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2692 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 Hacker.com.cn.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 Hacker.com.cn.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe File created C:\Windows\uninstal.bat 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecision = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDetectedUrl Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionTime = b0e0b27d17c3da01 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionTime = 503ac83217c3da01 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecision = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionTime = 503ac83217c3da01 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\c2-ec-e7-c5-a8-51 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621} Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadNetworkName = "Network 3" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionTime = b0e0b27d17c3da01 Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe Token: SeDebugPrivilege 2160 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2160 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2692 2908 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:2692
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD5067e52f8f51d0ebc3500386943f3891c
SHA179cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
SHA25643257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
SHA512b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856
-
Filesize
218B
MD553fac45070988c2db633617ac2217025
SHA138812f982c7c84cd392165b46f51d70a0cd76b32
SHA25623c950293e0983f6bab3a1ba52af275a06c6a445e542ac45fe438b975213677f
SHA5129a1eeac606a56141201fc9d6b5a1a1ea444b0c4619fb0743d2e5ccf4143d9459b59e4863ac201072e8bae02f93d23c2135ffdaceee2cf3c460b3a2975ba81d0f