Analysis
-
max time kernel
142s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 07:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe
-
Size
634KB
-
MD5
383067399d96c0621b64bde900da8bb4
-
SHA1
64202046abfbc5e611d633e1dc336cb04fa9b564
-
SHA256
c8ad5b524d352ec44afda6879b481c715da846c0960bc2e0c4c525b0249d1097
-
SHA512
8fed57555a7025c0f876918a6dc89a195d290cb02569c836aba2e2f74a9c7013eeff6d9d51750ee9c22954e964c8281407882791de0cc0b6f1e431b4e2637f4e
-
SSDEEP
12288:YzY4ci6+atHyFZoqJOL8NHJF3Z4mxxtSh1pExA/SVxNy6vgl1h8Uf:cYPAbFZo+OL8hJQmXobpYYcNy6AaQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4168 K.exe 4244 Hacker.com.cn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe K.exe File opened for modification C:\Windows\Hacker.com.cn.exe K.exe File created C:\Windows\uninstal.bat K.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4168 K.exe Token: SeDebugPrivilege 4244 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4244 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4168 2524 383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe 84 PID 2524 wrote to memory of 4168 2524 383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe 84 PID 2524 wrote to memory of 4168 2524 383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe 84 PID 4244 wrote to memory of 5100 4244 Hacker.com.cn.exe 90 PID 4244 wrote to memory of 5100 4244 Hacker.com.cn.exe 90 PID 4168 wrote to memory of 2200 4168 K.exe 93 PID 4168 wrote to memory of 2200 4168 K.exe 93 PID 4168 wrote to memory of 2200 4168 K.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\383067399d96c0621b64bde900da8bb4_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:2200
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:5100
-
Network
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468734
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3094BAC5E6884DE0A3F052F953F61C9C Ref B: LON04EDGE1221 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:14 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300897_1II1YIPQNQ7MCYUAK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317300897_1II1YIPQNQ7MCYUAK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 431275
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0C9DDB650A214BC7BB0798C9F6C949B1 Ref B: LON04EDGE1221 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:14 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301732_1XU9VS499YTY2RBMB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301732_1XU9VS499YTY2RBMB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 552873
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6BB42940822D439BB535BB6551A401D6 Ref B: LON04EDGE1221 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:14 GMT
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=389812C12292658D1F180678232964F7; domain=.bing.com; expires=Tue, 05-Aug-2025 07:19:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5777694DBCED46F6BF8EBE5BE27262D0 Ref B: LON04EDGE0910 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:15 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=389812C12292658D1F180678232964F7
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=ih6SmYJrJc7VvIB3NaXe5yyoLlFj4h-v2VFZrWXiSpI; domain=.bing.com; expires=Tue, 05-Aug-2025 07:19:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6ABB43CE20B04F3D9D229DAFF7D0D05C Ref B: LON04EDGE0910 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:15 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=389812C12292658D1F180678232964F7; MSPTC=ih6SmYJrJc7VvIB3NaXe5yyoLlFj4h-v2VFZrWXiSpI
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0EAAEEE8C6B943BD959DFC6DC36C4035 Ref B: LON04EDGE0910 Ref C: 2024-07-11T07:19:15Z
date: Thu, 11 Jul 2024 07:19:15 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestllff.oicp.netIN AResponsellff.oicp.netIN A127.0.0.1
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestllff.oicp.netIN AResponsellff.oicp.netIN A127.0.0.1
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239317301732_1XU9VS499YTY2RBMB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http252.5kB 1.5MB 1096 1093
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300897_1II1YIPQNQ7MCYUAK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301732_1XU9VS499YTY2RBMB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200 -
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=tls, http22.0kB 9.5kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3816ebe045494a3389f5b80f45336cb0&localId=w:5B67E6EF-EB19-3B8C-6273-F1B27270E62E&deviceId=6896204247044651&anid=HTTP Response
204 -
-
-
-
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
llff.oicp.net
DNS Response
127.0.0.1
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
llff.oicp.net
DNS Response
127.0.0.1
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD577727be6685645be39f45fc1446f24f6
SHA17f3e360a36279ccda159386eafe3e33b9ad4c8f6
SHA2562d9b9ceb31ad93541ccda4671afff85b86fd9ad2faabc782cd535f8a7d732b4a
SHA51270ee5b98db2f023f2afc106ddd3d7329a281e6c9004049540917b7c67b684e5359761b04915a2b3a141f3e5aef2ff25d14e21bbc191a3d8c72ed140943ba4558
-
Filesize
150B
MD512b2a195cba5d16c1a79111b3e47f15a
SHA1057c15cc2ec1dad5980cf70eba3bdba612f4d6b0
SHA2564ac8a319b86125f36db5fdb447d04f41114a527ec30945f7a7758ff8eeb46275
SHA51238c243dd813c8924f2146e03a4ab943c957b0e4aac798c0579d9493fd4baf3fd754e16692afe7b1f0e01fe24909548fdf88b1a49dbbb007ce3fb43233925ab98