Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe
-
Size
438KB
-
MD5
067e52f8f51d0ebc3500386943f3891c
-
SHA1
79cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
-
SHA256
43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
-
SHA512
b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856
-
SSDEEP
6144:cBPCuMgwO58zDWoGWT2UUgwB1U5cPAAJUgGqGj+iOMOMEVP1AR/A98gWNlPTGQQt:cTwS8eoGWSb1Lxy2rtAR/zNtTird4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4952 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Hacker.com.cn.exe 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe File created C:\Windows\uninstal.bat 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe File created C:\Windows\Hacker.com.cn.exe 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5000 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe Token: SeDebugPrivilege 4952 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4952 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5000 wrote to memory of 5076 5000 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 87 PID 5000 wrote to memory of 5076 5000 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 87 PID 5000 wrote to memory of 5076 5000 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:5076
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4952
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD5067e52f8f51d0ebc3500386943f3891c
SHA179cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
SHA25643257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
SHA512b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856
-
Filesize
218B
MD553fac45070988c2db633617ac2217025
SHA138812f982c7c84cd392165b46f51d70a0cd76b32
SHA25623c950293e0983f6bab3a1ba52af275a06c6a445e542ac45fe438b975213677f
SHA5129a1eeac606a56141201fc9d6b5a1a1ea444b0c4619fb0743d2e5ccf4143d9459b59e4863ac201072e8bae02f93d23c2135ffdaceee2cf3c460b3a2975ba81d0f