a716c18e700fcafae57d95963f9d623513b4e265bca3253762eec368f4f039ac

General

Target

439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe
Size

619KB
MD5

439dae0749ce55ef71be2c4679787916
SHA1

2b3f24286d2a7fbd7f7e5a775cac2efc477d4c74
SHA256

a716c18e700fcafae57d95963f9d623513b4e265bca3253762eec368f4f039ac
SHA512

cf1647a0d661543e73dca2526aa06bd705edeb0f0f7ada22c586d20a1a4ccb026b57bfb2715f30720460dc264caf5b94e1589335203ef9a0d6898b87b3bb5845
SSDEEP

12288:PafAtgyVMkgDA8DtP7OTT/l4Mq3xE41c2obY79g+hD6HFat8CJS:PBtTVMk2Dt+l4NCqocmm8Cc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3172	4VMP~1.EXE
3584	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4VMP~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	4VMP~1.EXE
File created	C:\Windows\uninstal.bat	4VMP~1.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	4VMP~1.EXE
Token: SeDebugPrivilege	3584	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3584	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3172	4252	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	83
PID 4252 wrote to memory of 3172	4252	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	83
PID 4252 wrote to memory of 3172	4252	439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe	83
PID 3584 wrote to memory of 4712	3584	Hacker.com.cn.exe	88
PID 3584 wrote to memory of 4712	3584	Hacker.com.cn.exe	88
PID 3172 wrote to memory of 4512	3172	4VMP~1.EXE	89
PID 3172 wrote to memory of 4512	3172	4VMP~1.EXE	89
PID 3172 wrote to memory of 4512	3172	4VMP~1.EXE	89

C:\Users\Admin\AppData\Local\Temp\439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\439dae0749ce55ef71be2c4679787916_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:4512

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4VMP~1.EXE

Filesize
304KB

MD5
a8a35a6cd0b8d4f67b1fa46197cb178b

SHA1
c6b3514909c4a81effffdb1dfb931030a5f9e1a0

SHA256
7316de6a8ac1b44ec2543e8bd7b65c7fbaf958596d953da5eaa447bc8a97f079

SHA512
6d47fce60cf1726828a62f69100f945c4d1929cb810939266726c636220dfd962070242c66b6bcade06371adad3f8ec475b5963086865ae54cdb3dc8348da407

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
64d11e7e4dee01a70b8179f77e58c444

SHA1
2b4c04bc3e011fbef9be4a73a40f655bb1a73c63

SHA256
37bcb03dbe8bc1a482820a16c56496e1a3ea255557f00650e1610605a8336a64

SHA512
5bcd5dc010834f11d0ee849eae3a786e0a3978fea216a4a5f284d8512784c683e0756e9f69c29a9409aa0a61ffdbd852d1f35036c343fbc82e1b87c9884e602e

Download Submit
memory/3172-24-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3172-15-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3172-14-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3584-32-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3584-28-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3584-21-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3584-20-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4252-5-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-6-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-9-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-10-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-4-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-0-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-26-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-3-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-2-0x0000000001000000-0x00000000010AB000-memory.dmp

Filesize
684KB

Download
memory/4252-1-0x0000000001061000-0x0000000001062000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads