fc992354def20817718a564086d5f320cb10400917a0c9c1243b0303ebbdcc32

General

Target

b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
Size

631KB
MD5

b1860005df7a54d90b7f459db74df4c6
SHA1

b72611f8eaaaf35998d4aeff1f6f602117d82245
SHA256

fc992354def20817718a564086d5f320cb10400917a0c9c1243b0303ebbdcc32
SHA512

6dfec63b2fbef0970c44571c259e63c08d28b0918375c85ee4b2740ba1f6747ea8b2dd919638ac391272c507ed69ed215eea623c97d9974e77bb2fa7624c99ae
SSDEEP

12288:5B3eD7bgoKrvhvIFEopVu/F3Z4mxxTvNZWBUiv/W0+dSJEA:5Bgkhi7pM/QmXT1Z4Ui3WdSn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1604	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
Token: SeDebugPrivilege	1604	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1604	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1912	1604	Hacker.com.cn.exe	88
PID 1604 wrote to memory of 1912	1604	Hacker.com.cn.exe	88
PID 2888 wrote to memory of 2420	2888	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe	92
PID 2888 wrote to memory of 2420	2888	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe	92
PID 2888 wrote to memory of 2420	2888	b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1860005df7a54d90b7f459db74df4c6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
631KB

MD5
b1860005df7a54d90b7f459db74df4c6

SHA1
b72611f8eaaaf35998d4aeff1f6f602117d82245

SHA256
fc992354def20817718a564086d5f320cb10400917a0c9c1243b0303ebbdcc32

SHA512
6dfec63b2fbef0970c44571c259e63c08d28b0918375c85ee4b2740ba1f6747ea8b2dd919638ac391272c507ed69ed215eea623c97d9974e77bb2fa7624c99ae

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
5d2f3cf2ea74f7f22321e50376d7b700

SHA1
8deb49c4742fade5d7f0dc838527b3cfe53f5a41

SHA256
80eef05c56e2c73415bcd560629443b91386813dc2262b6629bc869914873cd5

SHA512
b711693a5c60d1e9d1c6c30258abecbcf040b58a6cd97cd454f8b2a6d3c728b6288f930c3b139d6d2163a6afd05d36b0b117f57fb60847b2c4964e3a8a170dd7

Download Submit
memory/1604-31-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1604-27-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2888-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2888-10-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2888-9-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2888-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2888-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2888-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2888-3-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2888-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/2888-17-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2888-16-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2888-15-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2888-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2888-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2888-24-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2888-25-0x00000000023C0000-0x0000000002414000-memory.dmp

Filesize
336KB

Download
memory/2888-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x00000000023C0000-0x0000000002414000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing