b8358871d091af47cc36625ab518366999d09202375c74265eb0894892c439b1

General

Target

378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
Size

800KB
MD5

378a921c32c570e516c975b6ca83abb7
SHA1

4bb25e842d75e7b741e76d72e4f72506086f2dea
SHA256

b8358871d091af47cc36625ab518366999d09202375c74265eb0894892c439b1
SHA512

3b05794b4e3a5eab85f9f9633c39ad02a66edc94ec4ca4670c364a36e1d2ae6ce55fa6edc356c271d4a9d8dd7779b13b2067a25f261ad5b94b7ac1d4e9b53506
SSDEEP

12288:4mRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzzz:4SStU4gf2EW5A2DJr/kS4vGIk6v3Hff

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4160	RunMgr.EXE
3576	Hacker.com.cn.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RunMgr.EXE	RunMgr.EXE
File created	C:\Windows\uninstal.bat	RunMgr.EXE
File created	C:\Windows\RunMgr.EXE	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	RunMgr.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	RunMgr.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	RunMgr.EXE
Token: SeIncBasePriorityPrivilege	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
Token: SeDebugPrivilege	3576	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3576	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 4160	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	86
PID 1188 wrote to memory of 4160	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	86
PID 1188 wrote to memory of 4160	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	86
PID 1188 wrote to memory of 3100	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	87
PID 1188 wrote to memory of 3100	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	87
PID 1188 wrote to memory of 3100	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	87
PID 1188 wrote to memory of 4408	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	89
PID 1188 wrote to memory of 4408	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	89
PID 1188 wrote to memory of 4408	1188	378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe	89
PID 3576 wrote to memory of 1768	3576	Hacker.com.cn.exe	92
PID 3576 wrote to memory of 1768	3576	Hacker.com.cn.exe	92
PID 4160 wrote to memory of 3628	4160	RunMgr.EXE	93
PID 4160 wrote to memory of 3628	4160	RunMgr.EXE	93
PID 4160 wrote to memory of 3628	4160	RunMgr.EXE	93

C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\RunMgr.EXE
  "C:\Windows\RunMgr.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del %SystemRoot%\Debug.exe
  2⤵
  PID:3100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\378A92~1.EXE > nul
  2⤵
  PID:4408

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RunMgr.EXE

Filesize
743KB

MD5
eec0bbd268f539876ef3fca7ce446e70

SHA1
07b4d5119309518584f9c919c840aed551c5986b

SHA256
f761f6990cf9a25b48b17fe198ce8768695eb6f278c24c3e218d43bf5f1a6690

SHA512
f57de6d4df885ae2a607675a3a0368a14deaceacf6c961057e78691eba2a7f5b6e16836f7087c7f6878a6132a0e02a279d32a916ddb33e4dbcc5014fa2f88d8f

Download Submit
C:\Windows\uninstal.bat

Filesize
92B

MD5
cb9f71ed6347920d9d54de433ac8b51f

SHA1
1900d39d3bfee682acce91d71efd8fc1ef22f48c

SHA256
b946663364cb8068df25d6b8c349208f534817503d4d68d5faabc5896e1a4970

SHA512
6ceb649d961039f5b426dc92059837f6c76c1b98f9ceb4ae751e1746ba97ffd27b31bdf073a3494e50d7fc3c12e241e531bf848eaee1c497eea20570a532d9cf

Download Submit
memory/1188-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3576-14-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3576-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3576-21-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3576-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3576-28-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4160-9-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4160-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing