a716c18e700fcafae57d95963f9d623513b4e265bca3253762eec368f4f039ac

Analysis

max time kernel
143s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe
Size

619KB
MD5

439dae0749ce55ef71be2c4679787916
SHA1

2b3f24286d2a7fbd7f7e5a775cac2efc477d4c74
SHA256

a716c18e700fcafae57d95963f9d623513b4e265bca3253762eec368f4f039ac
SHA512

cf1647a0d661543e73dca2526aa06bd705edeb0f0f7ada22c586d20a1a4ccb026b57bfb2715f30720460dc264caf5b94e1589335203ef9a0d6898b87b3bb5845
SSDEEP

12288:PafAtgyVMkgDA8DtP7OTT/l4Mq3xE41c2obY79g+hD6HFat8CJS:PBtTVMk2Dt+l4NCqocmm8Cc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2936	4VMP~1.EXE
2764	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe
1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4VMP~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	4VMP~1.EXE
File created	C:\Windows\uninstal.bat	4VMP~1.EXE

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\WpadDecisionTime = 10e1211b75d5da01	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\76-b8-9e-78-c0-a3	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3\WpadDecisionTime = 70aface974d5da01	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3\WpadDetectedUrl	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0032000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0032000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\WpadDecisionTime = 70aface974d5da01	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C944B6F-C6C4-4CB4-979A-06573300125A}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-b8-9e-78-c0-a3\WpadDecisionTime = 10e1211b75d5da01	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	4VMP~1.EXE
Token: SeDebugPrivilege	2764	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2936	1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2936	1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2936	1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2936	1596	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	31
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2936 wrote to memory of 1748	2936	4VMP~1.EXE	34
PID 2764 wrote to memory of 2828	2764	Hacker.com.cn.exe	33
PID 2764 wrote to memory of 2828	2764	Hacker.com.cn.exe	33
PID 2764 wrote to memory of 2828	2764	Hacker.com.cn.exe	33
PID 2764 wrote to memory of 2828	2764	Hacker.com.cn.exe	33

C:\Users\Admin\AppData\Local\Temp\439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1748

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
160B

MD5
64d11e7e4dee01a70b8179f77e58c444

SHA1
2b4c04bc3e011fbef9be4a73a40f655bb1a73c63

SHA256
37bcb03dbe8bc1a482820a16c56496e1a3ea255557f00650e1610605a8336a64

SHA512
5bcd5dc010834f11d0ee849eae3a786e0a3978fea216a4a5f284d8512784c683e0756e9f69c29a9409aa0a61ffdbd852d1f35036c343fbc82e1b87c9884e602e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE

Filesize
304KB

MD5
a8a35a6cd0b8d4f67b1fa46197cb178b

SHA1
c6b3514909c4a81effffdb1dfb931030a5f9e1a0

SHA256
7316de6a8ac1b44ec2543e8bd7b65c7fbaf958596d953da5eaa447bc8a97f079

SHA512
6d47fce60cf1726828a62f69100f945c4d1929cb810939266726c636220dfd962070242c66b6bcade06371adad3f8ec475b5963086865ae54cdb3dc8348da407

Download Submit
memory/1596-12-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1596-35-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1596-32-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1596-31-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1596-30-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1596-29-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1596-28-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1596-27-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-26-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1596-25-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1596-24-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1596-23-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1596-22-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1596-21-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/1596-19-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1596-18-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1596-17-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1596-16-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-15-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-14-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-13-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-20-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1596-66-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/1596-2-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1596-9-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1596-7-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1596-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1596-5-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1596-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1596-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1596-10-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-36-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1596-33-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1596-34-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1596-67-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/1596-47-0x0000000003070000-0x0000000003190000-memory.dmp

Filesize
1.1MB

Download
memory/1596-46-0x0000000003070000-0x0000000003190000-memory.dmp

Filesize
1.1MB

Download
memory/1596-0-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/1596-11-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2764-55-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2764-54-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2764-69-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2764-73-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2936-49-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2936-48-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2936-64-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads