62b9848f9eb468669b45b9f8daf1d2a6e89e279e7f7265c923ca4ce04f6e03cb

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
Size

876KB
MD5

261736c56c3947ccedc5e375b676b958
SHA1

9c4051e84983495ad136525222f82590a8d6b046
SHA256

62b9848f9eb468669b45b9f8daf1d2a6e89e279e7f7265c923ca4ce04f6e03cb
SHA512

1ff784ad21a9f31278ccc6fe17098b39264a15454bbbd28674786085c2ef196c6e3a87e1ba6a1f3cde198ba7e20f41845b613cfebc06db652613163fec506f50
SSDEEP

12288:+LfrxBM+Mkm3TJMpJJgFc+vM7uF3Z4mxx+KnL+0K63IfvLfrxBM+Mkm3TJMpJJgR:l3MIc+vM6QmX/l3sk3MIc+vMe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1468	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	Hacker.com.cn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = 406fa7c94dceda01	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = e025d4824dceda01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = e025d4824dceda01	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = 406fa7c94dceda01	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDetectedUrl	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3052	2508	Hacker.com.cn.exe	29
PID 2508 wrote to memory of 3052	2508	Hacker.com.cn.exe	29
PID 2508 wrote to memory of 3052	2508	Hacker.com.cn.exe	29
PID 2508 wrote to memory of 3052	2508	Hacker.com.cn.exe	29
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1468	2284	261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1468

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
876KB

MD5
261736c56c3947ccedc5e375b676b958

SHA1
9c4051e84983495ad136525222f82590a8d6b046

SHA256
62b9848f9eb468669b45b9f8daf1d2a6e89e279e7f7265c923ca4ce04f6e03cb

SHA512
1ff784ad21a9f31278ccc6fe17098b39264a15454bbbd28674786085c2ef196c6e3a87e1ba6a1f3cde198ba7e20f41845b613cfebc06db652613163fec506f50

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
48376054a18caafe119bb48ac8bdee81

SHA1
7f03fb4fb039ff54814d9a489bdf9e91b8f30f85

SHA256
ac2655c74d9dff0b2b448ec63c67c594b65108fdd9ca6ee5fada487afa7a847d

SHA512
1ee3732aa7eedc94b559e87c1f35763158efa83a9388d2d8cb346b33ab6fda01109eae69783f29adfab78698799f24cc21c577f4536f4486de87e38d0e68f295

Download Submit
memory/2284-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2284-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2284-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2284-9-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2284-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2284-7-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2284-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2284-42-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-76-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-75-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-74-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-73-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-72-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-71-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-70-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-69-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-68-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-67-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-66-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-65-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-64-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-63-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-62-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-61-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-60-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-59-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-58-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-57-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-56-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-55-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-54-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-53-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-52-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-51-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-50-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-49-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-48-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-47-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-46-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-45-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-44-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-43-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-41-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-40-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-39-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-38-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-37-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-36-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-35-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-34-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-33-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-32-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-31-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-30-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-29-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-28-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-27-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-26-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-25-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-24-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-23-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-22-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-21-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-20-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-19-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-18-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2284-17-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-16-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-15-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-14-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-13-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-12-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2284-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2284-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2284-2-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2284-77-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2284-91-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2284-92-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2508-81-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2508-82-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2508-94-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2508-95-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2508-100-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download