d8d5ab26ad5e7e08e6bbdd54d0ce8dceef0fac33235d3a63416e5997531d9136

General

Target

14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe
Size

664KB
MD5

14854075cfe03891ce84f43abc690bd5
SHA1

02254f4dc57034afddb5e0b9595e86e5adf1f8f9
SHA256

d8d5ab26ad5e7e08e6bbdd54d0ce8dceef0fac33235d3a63416e5997531d9136
SHA512

85df6df0afad7021aa861b6e30fe199cf26309b5b1f4517c9a1f2d273f11ec73911fca0fdfdfc3def499cfe0446fa4e6f0bc973147a0123340e768eec5951fea
SSDEEP

12288:AKg5TKWfmDA4HfvPJdFizF3Z4mxxOlZyqhf4QRt4FQ8Ps+up:AKg5YA4Hfpd8QmXODxjOdPs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe
Token: SeDebugPrivilege	900	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2776	900	Hacker.com.cn.exe	84
PID 900 wrote to memory of 2776	900	Hacker.com.cn.exe	84
PID 5060 wrote to memory of 1572	5060	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe	87
PID 5060 wrote to memory of 1572	5060	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe	87
PID 5060 wrote to memory of 1572	5060	14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14854075cfe03891ce84f43abc690bd5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:1572

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:900
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
664KB

MD5
14854075cfe03891ce84f43abc690bd5

SHA1
02254f4dc57034afddb5e0b9595e86e5adf1f8f9

SHA256
d8d5ab26ad5e7e08e6bbdd54d0ce8dceef0fac33235d3a63416e5997531d9136

SHA512
85df6df0afad7021aa861b6e30fe199cf26309b5b1f4517c9a1f2d273f11ec73911fca0fdfdfc3def499cfe0446fa4e6f0bc973147a0123340e768eec5951fea

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
4778704c23c69daf3248383606243579

SHA1
15186873b3fa9d650a0401712ef6ecb7845c5b6e

SHA256
9fea297b61a67afa2da46f5693f095e776c757541f63d128ceb97600b55a2c11

SHA512
8800b78f8cd0aca87fcc78034c47015d18202e351077ecdc33836a5008787e24b6f5c424be0af93c63e4b40589c42fb7e0f014967c6920c181ea05b6476fa829

Download Submit
memory/900-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp

Filesize
336KB

Download
memory/900-35-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/900-29-0x0000000000D60000-0x0000000000DB4000-memory.dmp

Filesize
336KB

Download
memory/5060-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/5060-2-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/5060-14-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/5060-10-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5060-9-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/5060-8-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/5060-7-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/5060-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/5060-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/5060-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5060-3-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/5060-15-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-23-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/5060-22-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/5060-21-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/5060-20-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/5060-19-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/5060-24-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/5060-16-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-17-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-32-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5060-33-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/5060-18-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/5060-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/5060-1-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing