b72a998b8c5e3c11ceeb2bf1d48e04169093a7eda1d73753b2b54bdb61cca51c

General

Target

bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe
Size

398KB
MD5

bc07899230e691a19e19c4108dc02594
SHA1

6d0dd0c16958f7bc5c82f395372b42dc8ced1644
SHA256

b72a998b8c5e3c11ceeb2bf1d48e04169093a7eda1d73753b2b54bdb61cca51c
SHA512

1b27121eb74683700391db979a2d4ebe72415e0720a85481be9ed76d9f74b275fad4c0ae6e760988bd563196bfe57f9dade88db14437e15b28c504d3b702ffa2
SSDEEP

12288:SYPkprgbbZEE4bRyzuI2IHloFvyF8p42tSv:1P6rgb9EouEoFaF8pDt

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdt.sys	bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2100	tempdir.exe
4872	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	tempdir.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	tempdir.exe
File created	C:\Windows\UNINSTAL.BAT	tempdir.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempdir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.ini
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	tempdir.exe
Token: SeDebugPrivilege	4872	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4872	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2100	628	bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe	83
PID 628 wrote to memory of 2100	628	bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe	83
PID 628 wrote to memory of 2100	628	bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe	83
PID 4872 wrote to memory of 3696	4872	Hacker.com.cn.ini	88
PID 4872 wrote to memory of 3696	4872	Hacker.com.cn.ini	88
PID 2100 wrote to memory of 3404	2100	tempdir.exe	89
PID 2100 wrote to memory of 3404	2100	tempdir.exe	89
PID 2100 wrote to memory of 3404	2100	tempdir.exe	89

C:\Users\Admin\AppData\Local\Temp\bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc07899230e691a19e19c4108dc02594_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\tempdir.exe
  C:\Users\Admin\AppData\Local\Temp\tempdir.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

Filesize
756KB

MD5
c8f41624ea3242f443b3f632d02e911d

SHA1
0fda79e2e5487de6e4be036d313c39318102acf5

SHA256
fe67f6eb1b70353faa57db887683a62ccfe8043e0cf0c2ed61ab53a2d6c13176

SHA512
95ba027db10aba61eb9564d484fc0ea59eaa6fb02ad896a1cb8a1c087f7edf1183bb497d40bec89e310dea9acfd46a259fc0596cd39da17cf14563cdb1a568a6

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
140B

MD5
4e7b230401dca85f23df61baa1a95322

SHA1
cea9cb695394756afb82ad3090611130b9c92df7

SHA256
4896becf71b02a2cad1af0b17e3d86c556e15a4a7e4584e2429d47250b2c71ee

SHA512
f98425f89e10f3f54c62ee9e2a3dce1bbd706f6cb9c0b3e51e020447b3250c63133744ae046e754a568ee0ef33488aeb235289d00775f6bc509cf5e01523f464

Download Submit
memory/628-0-0x00000000004C2000-0x00000000004C3000-memory.dmp

Filesize
4KB

Download
memory/628-1-0x0000000000400000-0x00000000004C90C0-memory.dmp

Filesize
804KB

Download
memory/2100-7-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2100-8-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2100-17-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4872-13-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4872-14-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4872-19-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4872-24-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing