667c2b1716fc5ec2978eda34181afe7f35dc2564b9d9d54506f0b12eb6130ac9

General

Target

b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe
Size

649KB
MD5

b1c48a02fd8fb5e97b5d028fb0e5381d
SHA1

e4dc0eeff16b3e08edfb6e9efdcb1761d77622ae
SHA256

667c2b1716fc5ec2978eda34181afe7f35dc2564b9d9d54506f0b12eb6130ac9
SHA512

3dbe02aff2b6f62ee751347891843f96abb0bd83a8d5853430894b4ac42d32c5bbfaee2fc59773a297bcb22276a3a37190597a16e5175256c1a521f489e4718e
SSDEEP

12288:ua3wloHCSUXD5cnEf5BequKDqF3Z4mxx4DqVTVOCZJb:uDMU+ERB9uKWQmXfVTz3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2348	1.exe
2972	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe
2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	1.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	1.exe
Token: SeDebugPrivilege	2972	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2348	2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2348	2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2348	2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2348	2024	b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe	30
PID 2972 wrote to memory of 1112	2972	Hacker.com.cn.exe	32
PID 2972 wrote to memory of 1112	2972	Hacker.com.cn.exe	32
PID 2972 wrote to memory of 1112	2972	Hacker.com.cn.exe	32
PID 2972 wrote to memory of 1112	2972	Hacker.com.cn.exe	32

C:\Users\Admin\AppData\Local\Temp\b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1c48a02fd8fb5e97b5d028fb0e5381d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
271KB

MD5
7363854f89e8e80c0e735db9fb96c38e

SHA1
6baf9e9d108ff5954fbe1962a088e1e8e9134f5f

SHA256
97209518f3411a0e046ab5e064084c1750d5967ccdf1a42ec779a0744e4eca3a

SHA512
dc20f6d12246c1388e0d8e0737a5a61597d60fb06138856696f435563c22c3e23a60b974f9373eabab0f0276aebaf00441e2fc9b7ee10444d6dfca5236a2674b

Download Submit
memory/2024-3-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/2024-18-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2024-17-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2024-16-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2024-15-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2024-14-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2024-13-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2024-12-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/2024-11-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2024-10-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2024-9-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2024-8-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2024-7-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2024-19-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2024-2-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2024-0-0x0000000001000000-0x00000000010B3000-memory.dmp

Filesize
716KB

Download
memory/2024-31-0x0000000003800000-0x000000000390B000-memory.dmp

Filesize
1.0MB

Download
memory/2024-45-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/2024-29-0x0000000003800000-0x000000000390B000-memory.dmp

Filesize
1.0MB

Download
memory/2024-44-0x0000000001000000-0x00000000010B3000-memory.dmp

Filesize
716KB

Download
memory/2024-42-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/2024-40-0x0000000001000000-0x00000000010B3000-memory.dmp

Filesize
716KB

Download
memory/2348-41-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2348-32-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2348-30-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2972-38-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2972-37-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2972-46-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2972-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2972-49-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2972-53-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads