71c7f9d75b9a209628a3fb40612e4848241b3d8ca0a6b654546d868af3a5f8a0

General

Target

491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
Size

453KB
MD5

491acae68ba143a511f534dcea23a231
SHA1

dbae49a2d2988f88b94ca9cbb732801f36267151
SHA256

71c7f9d75b9a209628a3fb40612e4848241b3d8ca0a6b654546d868af3a5f8a0
SHA512

e89b709efa36b346b260612b4d9484675f18dfdf451a909387469f5c627d0f6ccc4187b7f57216fca9da101625f1590519088f9147576ff62b6f912cb7dfc06e
SSDEEP

12288:p0X14Q9u82sMCk8lBa1Ty/V9MIe1S6b7MP+Dd21b2a:pg14QU8GCyTyt9MIeR7MP+h21Ka

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	Hacker.com.cn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Hacker.com.cn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Hacker.com.cn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Hacker.com.cn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
Token: SeDebugPrivilege	1636	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1636	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4452	1636	Hacker.com.cn.exe	87
PID 1636 wrote to memory of 4452	1636	Hacker.com.cn.exe	87

C:\Users\Admin\AppData\Local\Temp\491acae68ba143a511f534dcea23a231_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\491acae68ba143a511f534dcea23a231_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
453KB

MD5
491acae68ba143a511f534dcea23a231

SHA1
dbae49a2d2988f88b94ca9cbb732801f36267151

SHA256
71c7f9d75b9a209628a3fb40612e4848241b3d8ca0a6b654546d868af3a5f8a0

SHA512
e89b709efa36b346b260612b4d9484675f18dfdf451a909387469f5c627d0f6ccc4187b7f57216fca9da101625f1590519088f9147576ff62b6f912cb7dfc06e

Download Submit
memory/1140-9-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1140-12-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1140-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1140-13-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1140-7-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1140-11-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1140-10-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1140-6-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1140-2-0x0000000000710000-0x0000000000713000-memory.dmp

Filesize
12KB

Download
memory/1140-3-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/1140-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1140-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1140-4-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1140-14-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1140-1-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/1140-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1140-33-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/1636-19-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1636-28-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1636-27-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/1636-26-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1636-25-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1636-24-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1636-23-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1636-31-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1636-30-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1636-22-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1636-21-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

Filesize
24KB

Download
memory/1636-20-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/1636-34-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1636-35-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/1636-36-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/1636-37-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1636-41-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing