e470e086e6a6c247918af1e280c6e764e41926e28e3f9a96ba0de4f46cc9ac4c

General

Target

bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
Size

411KB
MD5

bdec41f3038a1b5d540015e1aaf0ed6d
SHA1

8736cdd2fe1e6b03032348a3dd24ee9c1a3280fd
SHA256

e470e086e6a6c247918af1e280c6e764e41926e28e3f9a96ba0de4f46cc9ac4c
SHA512

f6363610f2a688ad2da605bc5095a6a03d2e98f2990ad5b814f514410ecc3082755ecc1a250c5872c3142fbf5f316c70d4194223dee4b468098c79f19398270e
SSDEEP

12288:7uqEIFuxdgs0EVUopmFp9lMFMG9SJmi+hDF4gG0YqJcnwbCTQ+uHFaL:vEquzgsJyowZlIjmmL4r0YNQUulu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4884	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5040	2424	WerFault.exe	83
3696	4884	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.ini

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
Token: SeDebugPrivilege	4884	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4884	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4072	4884	Hacker.com.cn.ini	93
PID 4884 wrote to memory of 4072	4884	Hacker.com.cn.ini	93
PID 2424 wrote to memory of 8	2424	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe	96
PID 2424 wrote to memory of 8	2424	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe	96
PID 2424 wrote to memory of 8	2424	bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdec41f3038a1b5d540015e1aaf0ed6d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 224
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2424 -ip 2424
1⤵
PID:1028

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 216
  2⤵
  - Program crash
  PID:3696
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4884 -ip 4884
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.ini

Filesize
411KB

MD5
bdec41f3038a1b5d540015e1aaf0ed6d

SHA1
8736cdd2fe1e6b03032348a3dd24ee9c1a3280fd

SHA256
e470e086e6a6c247918af1e280c6e764e41926e28e3f9a96ba0de4f46cc9ac4c

SHA512
f6363610f2a688ad2da605bc5095a6a03d2e98f2990ad5b814f514410ecc3082755ecc1a250c5872c3142fbf5f316c70d4194223dee4b468098c79f19398270e

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
dc79673a9316c1e79e85368595e5ddc1

SHA1
df5cfe263b8233b4acc71e8572269fd35c82f3f4

SHA256
d7c8c40ee157244f59a96fe03bd800f9a16a30393f5c2394d1c4db93832ff58a

SHA512
68e147879baee759b77b998f0e7c28317f2ec1ab28cb4c8cf8de01ff7a28cb67b9a8b64d0659d29549b4c1941365494fc8e08c75b1efc4c7758447dd935f58f4

Download Submit
memory/2424-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2424-1-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2424-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4884-6-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4884-7-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4884-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4884-13-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4884-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing