d0d660b6849322ed3cee1a4609915f0939167780631aba336f00ce7da14b4715

General

Target

a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
Size

374KB
MD5

a0073227dd2b536862b023d60fd5e035
SHA1

444300e1735b35a24d9ac491fe98cbf27daf5f32
SHA256

d0d660b6849322ed3cee1a4609915f0939167780631aba336f00ce7da14b4715
SHA512

7248bac468ac735abe7d401c3b21d84293a41cc93432ab30cf359ae81e9879b2ba9a3205afd39e6f7603da8dbe1871b7ec9e28ec2f7dcd7b4cc8e78220a23eca
SSDEEP

6144:M9qqstK1A4wP1VbqFcT0WiaYkFV6Urn0+O7vGKrtL3XVSv4Ua0Yz1f:LtIdMjbqFBWiaRFV6U7miu3lSvXYz1f

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe
2912	ºÚ·À»Ò¸ë×Ó.exe
2824	Hacker.com.cn.exe

Loads dropped DLL 4 IoCs

pid	Process
1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe
1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018b2b-19.dat	upx
behavioral1/memory/2912-28-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2824-34-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2912-37-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2824-38-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	ºÚ·À»Ò¸ë×Ó.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	ºÚ·À»Ò¸ë×Ó.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ºÚ·À»Ò¸ë×Ó.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	ºÚ·À»Ò¸ë×Ó.exe
Token: SeDebugPrivilege	2824	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1704	1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1704	1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1704	1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1704	1724	a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2912	1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe	31
PID 1704 wrote to memory of 2912	1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe	31
PID 1704 wrote to memory of 2912	1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe	31
PID 1704 wrote to memory of 2912	1704	DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe	31
PID 2824 wrote to memory of 2720	2824	Hacker.com.cn.exe	33
PID 2824 wrote to memory of 2720	2824	Hacker.com.cn.exe	33
PID 2824 wrote to memory of 2720	2824	Hacker.com.cn.exe	33
PID 2824 wrote to memory of 2720	2824	Hacker.com.cn.exe	33

C:\Users\Admin\AppData\Local\Temp\a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0073227dd2b536862b023d60fd5e035_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe
  "C:\Users\Admin\AppData\Local\Temp\DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\ºÚ·À»Ò¸ë×Ó.exe
    "C:\Users\Admin\AppData\Local\Temp\ºÚ·À»Ò¸ë×Ó.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DDos¹¥»÷¹¤¾ß£¨ÃÎ»ÃÐ¡×é£©.exe

Filesize
335KB

MD5
f46cce684d4c6c62dbe5d4fa38549953

SHA1
8f23ef0ba73a3834004953e7a01b24499b19312a

SHA256
5dd8bb45d37e384ff3ee2d6a14a250e136efa30351af74bcb28d159de4e39c47

SHA512
ce7ce0fab94cfa7f134820856427cec5aef6d8c6c1fa1b6154a7d8e7fa39e897e335fe6eb87b04bd5dcf419295085eb13bf39413a1fb5a7d7d11603de9d3a304

Download Submit
\Users\Admin\AppData\Local\Temp\ºÚ·À»Ò¸ë×Ó.exe

Filesize
295KB

MD5
f64a73449ec57a26d71e32a507a7cadd

SHA1
377c7961db29cf3a1e70defdcee257f17a4c169b

SHA256
d7a3633e88b8dfae722ec7fd41bdb13a8eee8022f2845e3cbc8fb4976b80ff10

SHA512
3b6323f325e8861cbce1efd538acb0f9d13fbc32b0a10cfea120c9a4f5690c6fceef810e773474d89b19589787b9d2ba396082c22b50d8516170d7ad26e5daaf

Download Submit
memory/1704-26-0x00000000029C0000-0x0000000002A88000-memory.dmp

Filesize
800KB

Download
memory/1704-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1724-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2824-34-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-38-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2912-28-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2912-29-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2912-37-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing