eb57058b31f58deb8ad0cac25d60ba980ecb3a7129c272eb3a925c963c2e58d5

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe
Size

288KB
MD5

3a50de21cbcdf9183d9bbc457a6bf58c
SHA1

e44f315bfcca446ad67408d848346283d8103fea
SHA256

eb57058b31f58deb8ad0cac25d60ba980ecb3a7129c272eb3a925c963c2e58d5
SHA512

edd82506dbb708e5a455db7cc8d584b5daccfd848ad88593f7c0876f5d37f0a4ecffded4a939bf5182f8f1e5688a914acee4ea4a9b6b48907b385ad62316e7b2
SSDEEP

6144:Bs13w3pTwSA6otWjddudvilIvy5VAuyRQHz6pKGFIa:033SAbWylKRoKHz6lI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe
Token: SeDebugPrivilege	1940	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1940	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 4632	1940	Hacker.com.cn.exe	88
PID 1940 wrote to memory of 4632	1940	Hacker.com.cn.exe	88
PID 1028 wrote to memory of 1076	1028	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe	89
PID 1028 wrote to memory of 1076	1028	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe	89
PID 1028 wrote to memory of 1076	1028	3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a50de21cbcdf9183d9bbc457a6bf58c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:1076

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
288KB

MD5
3a50de21cbcdf9183d9bbc457a6bf58c

SHA1
e44f315bfcca446ad67408d848346283d8103fea

SHA256
eb57058b31f58deb8ad0cac25d60ba980ecb3a7129c272eb3a925c963c2e58d5

SHA512
edd82506dbb708e5a455db7cc8d584b5daccfd848ad88593f7c0876f5d37f0a4ecffded4a939bf5182f8f1e5688a914acee4ea4a9b6b48907b385ad62316e7b2

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
a794e91ea58426a09a958d44fa137a75

SHA1
cc26e2df4a50e45766390b59cd92af4678889f77

SHA256
1c08d8e6998356acf39fd6fcf589c98e43bc793028f68434369ec50ad8aa05e1

SHA512
91b1da1dad58595fbc75bb6307e21a11fb8131f6218b10f943250b9d191a57507cdbe08faa843ba91ee6259dcf6c8833ba7e920fec203824c9d0788c7e7b3bc7

Download Submit
memory/1028-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1028-1-0x0000000002280000-0x0000000002284000-memory.dmp

Filesize
16KB

Download
memory/1028-2-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1028-11-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1940-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1940-8-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1940-13-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1940-15-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1940-18-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download