5e7ef93ee2a2ecfd97f4f1bc15ab912271830e3bcdb299b9d4e12b5c7b6af688

General

Target

7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
Size

312KB
MD5

7860abaaa00175fdf18453f6f57b2428
SHA1

dd41d27f6485064e0a4c0d3a4665bbb5e10a3249
SHA256

5e7ef93ee2a2ecfd97f4f1bc15ab912271830e3bcdb299b9d4e12b5c7b6af688
SHA512

c2f5ba90695511ab3c23c8ec4d1b7df595a0a3f6cc9d5b9730c466d0b4dc7810a84ce9578188646f143a607f8b76cab7d7ecb57828911211440f6719300ba9ab
SSDEEP

6144:aO2SIguO3/V/rh09eNQBasDUD371exkAK5R04+woOhXLwez:FfPvVFHNTz71exkhaOhse

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
Token: SeDebugPrivilege	2188	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2136	2188	Hacker.com.cn.exe	31
PID 2188 wrote to memory of 2136	2188	Hacker.com.cn.exe	31
PID 2188 wrote to memory of 2136	2188	Hacker.com.cn.exe	31
PID 2188 wrote to memory of 2136	2188	Hacker.com.cn.exe	31
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2832	1720	7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7860abaaa00175fdf18453f6f57b2428_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
312KB

MD5
7860abaaa00175fdf18453f6f57b2428

SHA1
dd41d27f6485064e0a4c0d3a4665bbb5e10a3249

SHA256
5e7ef93ee2a2ecfd97f4f1bc15ab912271830e3bcdb299b9d4e12b5c7b6af688

SHA512
c2f5ba90695511ab3c23c8ec4d1b7df595a0a3f6cc9d5b9730c466d0b4dc7810a84ce9578188646f143a607f8b76cab7d7ecb57828911211440f6719300ba9ab

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
5e5f6876bc8c87c70dfe69eeb19d5d9b

SHA1
fced1376d36e8ba9a0f8c5fd0b81364012f8ada1

SHA256
74e745cc7d3073720851d860d4de9bdc3d276f577d53b294c7c2afbbebe5a4c4

SHA512
0da66808092c108495ee9181dbc3b4e41dd43a723d017d8a6bc8632937a841af5429eb0392d321ab9e016e00c020d9519f3f81563c7c80a35bd7999b5e116ca9

Download Submit
memory/1720-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1720-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1720-20-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2188-8-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2188-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2188-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2188-22-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2188-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing