69ce5552382177c0371bcb26b8be1a3aeffd7de5c2b5bab8914707e138752b1e

General

Target

2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe
Size

694KB
MD5

2ea237f07c72f72d1095579266d52208
SHA1

aba2f503621b64ea6bcc3d4ca7322cf44926148d
SHA256

69ce5552382177c0371bcb26b8be1a3aeffd7de5c2b5bab8914707e138752b1e
SHA512

1c00ed97527323613bce811e08e71ea5162bf4afdc113a0fbc74a31f05881df8286c3f2ca4e0efdd095a567fedc6770abc835bbbd03bf7e54e29e83fa3259eb6
SSDEEP

12288:VutnT8sJsFVifv7cgtlwbjSQe28d0d4at5F3Z4mxxQIeTeuqIi4H1E2N584K:VutnTxgQvwbtaKQmXhyqIlHNNqX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe
Token: SeDebugPrivilege	2716	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3064	2716	Hacker.com.cn.exe	32
PID 2716 wrote to memory of 3064	2716	Hacker.com.cn.exe	32
PID 2716 wrote to memory of 3064	2716	Hacker.com.cn.exe	32
PID 2716 wrote to memory of 3064	2716	Hacker.com.cn.exe	32
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2700	2252	2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea237f07c72f72d1095579266d52208_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2700

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
694KB

MD5
2ea237f07c72f72d1095579266d52208

SHA1
aba2f503621b64ea6bcc3d4ca7322cf44926148d

SHA256
69ce5552382177c0371bcb26b8be1a3aeffd7de5c2b5bab8914707e138752b1e

SHA512
1c00ed97527323613bce811e08e71ea5162bf4afdc113a0fbc74a31f05881df8286c3f2ca4e0efdd095a567fedc6770abc835bbbd03bf7e54e29e83fa3259eb6

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
8523ae673cde0f0bc6ee069767eefb7e

SHA1
dfe40d0aae7949dffba9000edfbdbbd1779e70f2

SHA256
dd9289bdc224c7b881449d4d0841f1dbf4617510c0ba8a411e75383c7d50e3d7

SHA512
b726ee449532eccf8294a993daa5c42887826707af47c75c1b53328281e915eecc955bfbe11239b8f50920875c4919c0cbe5df8984aae4551f8e8b1b3f7a45d3

Download Submit
memory/2252-18-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2252-15-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2252-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2252-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2252-28-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2252-27-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2252-26-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2252-25-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2252-24-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2252-23-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2252-22-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2252-21-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2252-20-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2252-19-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2252-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2252-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2252-14-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2252-16-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2252-13-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2252-12-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2252-11-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2252-10-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2252-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2252-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2252-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2252-9-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2252-42-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/2252-1-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/2252-41-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2716-32-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2716-44-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing