de4b75a5dd3cf4836fb0693fe5c597a0423e6f78a11c97eda627a43fe34284d1

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe
Size

640KB
MD5

5c8845659f127c90e5de08d9b97bfbb3
SHA1

1ff38db5c85ab5f85f8736b5514c6b92a5c3c08c
SHA256

de4b75a5dd3cf4836fb0693fe5c597a0423e6f78a11c97eda627a43fe34284d1
SHA512

4c49178a4fd52c7ad0c12dd8906b50d5582ae4e9c868104a9f162a236ae220cdff1c37b849d8f1c0a54ce6ab886077858b48786068bbee9ffbc6db717bef9807
SSDEEP

12288:ZETVZyyvHtauvpRpdpahWafLYa/gf1c2obY7EN1s:Zeoyla2rv/oc4bs

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4196	Server.exe
1880	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Hacker.com.cn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Hacker.com.cn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Hacker.com.cn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Hacker.com.cn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	Server.exe
Token: SeDebugPrivilege	1880	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1880	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84
PID 3688 wrote to memory of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84
PID 3688 wrote to memory of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84
PID 3688 wrote to memory of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84
PID 3688 wrote to memory of 3948	3688	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	84
PID 3948 wrote to memory of 4196	3948	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	85
PID 3948 wrote to memory of 4196	3948	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	85
PID 3948 wrote to memory of 4196	3948	5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe	85
PID 1880 wrote to memory of 4056	1880	Hacker.com.cn.exe	90
PID 1880 wrote to memory of 4056	1880	Hacker.com.cn.exe	90

C:\Users\Admin\AppData\Local\Temp\5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\5c8845659f127c90e5de08d9b97bfbb3_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4196

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
743KB

MD5
78db53a348d57d7590de56a8ee78a535

SHA1
ca8f0e2426c8e47f38fb4769a94812945c8d982e

SHA256
e8f3514c8d39c20820ddc3a2f331303f1e466775284950b56625b1d7317a777f

SHA512
1b25e3eecb5b4d5377ea140dae8aa8f11765835d16634d224cd0f9fde3cdb5c841b23ebd8b9f81fe831b783902d6a2273bca25d9e37d12f859d022981ef68741

Download Submit
memory/1880-50-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1880-46-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3688-19-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3688-3-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3688-25-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3688-23-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3688-6-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3688-5-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3688-2-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3688-12-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/3688-29-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3688-28-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3688-15-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3688-27-0x0000000002C00000-0x0000000002C03000-memory.dmp

Filesize
12KB

Download
memory/3688-26-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3688-24-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3688-1-0x0000000002190000-0x00000000021E0000-memory.dmp

Filesize
320KB

Download
memory/3688-9-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3688-4-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/3688-22-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3688-7-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3688-34-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/3688-10-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3688-33-0x0000000002190000-0x00000000021E0000-memory.dmp

Filesize
320KB

Download
memory/3688-21-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3688-20-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3688-0-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/3688-8-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3688-18-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3688-17-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3688-16-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3688-13-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3688-14-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3688-11-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3948-35-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/3948-30-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/3948-31-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/4196-45-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads