d31df77982113954c24c071028790886170f86578f6f1eb1b357958a00a933b6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe
Size

636KB
MD5

06e3dc2d1f7091d61fb6f0685bac5590
SHA1

b1c9fd7dddb9f279cc81aed80d3374b6c5b084bc
SHA256

d31df77982113954c24c071028790886170f86578f6f1eb1b357958a00a933b6
SHA512

c136a4d1cadb0acc5d7547fac2dbb46b9afb911239452bc196c7c44b29398015fefd5a27c8eb578458bad2ef21f9f1602974877d6da9982eb14f859c718d44d2
SSDEEP

12288:hDFIQDcwR1em1fsZXrhDtvnZtD3HRlc1c2obY7HxHDxdrf6ARXv:hJvca1e00ZXFt6ocTxj/6ARXv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1036	4.exe
4604	Hacker.com.cn.exe
3632	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	4.exe
Token: SeDebugPrivilege	4604	Hacker.com.cn.exe
Token: SeDebugPrivilege	3632	4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4604	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1036	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	82
PID 2128 wrote to memory of 1036	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	82
PID 2128 wrote to memory of 1036	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	82
PID 1036 wrote to memory of 1104	1036	4.exe	87
PID 1036 wrote to memory of 1104	1036	4.exe	87
PID 1036 wrote to memory of 1104	1036	4.exe	87
PID 4604 wrote to memory of 1428	4604	Hacker.com.cn.exe	88
PID 4604 wrote to memory of 1428	4604	Hacker.com.cn.exe	88
PID 2128 wrote to memory of 3632	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	89
PID 2128 wrote to memory of 3632	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	89
PID 2128 wrote to memory of 3632	2128	06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06e3dc2d1f7091d61fb6f0685bac5590_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:1104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3632

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
788KB

MD5
bafd53f4dd6091279c6d08229612e0e7

SHA1
afb314e083decaabcce1f52cb023cecd10fd00cf

SHA256
2a640b9927928e0089a8d03bd978799a5768a856883a40a437416e84e8795e8d

SHA512
23b75baa588878a3ee88d5f3c022802f63bb09870a7ba6a9ba1bd481d766fff4289fb35198ed779ae153fbe8a36dd2b6c737709b11abb2d91fd99e7cc342c613

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
memory/1036-80-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2128-8-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2128-7-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2128-25-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-43-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-42-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-41-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-40-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-39-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-38-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-37-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-36-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-52-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-34-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-33-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-32-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-31-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-30-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-29-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-28-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-27-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-26-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-24-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-23-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-22-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-21-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-20-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-19-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-18-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-17-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-16-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-15-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-14-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-13-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-79-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-11-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-10-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2128-9-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000000520000-0x0000000000570000-memory.dmp

Filesize
320KB

Download
memory/2128-35-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-0-0x0000000001000000-0x0000000001103000-memory.dmp

Filesize
1.0MB

Download
memory/2128-12-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2128-78-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-77-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-76-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-75-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-74-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-73-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-71-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-72-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-70-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-69-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-68-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-67-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-66-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-65-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-64-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-63-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-62-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-61-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-60-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-58-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-57-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-56-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-55-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-54-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-53-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-51-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-59-0x00000000029A0000-0x00000000029BB000-memory.dmp

Filesize
108KB

Download
memory/2128-6-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2128-4-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2128-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2128-2-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2128-91-0x0000000001000000-0x0000000001103000-memory.dmp

Filesize
1.0MB

Download
memory/2128-92-0x0000000000520000-0x0000000000570000-memory.dmp

Filesize
320KB

Download
memory/3632-88-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/3632-90-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/4604-83-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/4604-93-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads