cc239e94ecbd775227cdde062301396b8a290fae411f6880f5e21797106a8cc0

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe
Size

794KB
MD5

c8e562e23328ec9f93e7e1f8f0c96d72
SHA1

0aec8cd26c9e7e7bfabb4ebbcabc4f92a2bb6c8a
SHA256

cc239e94ecbd775227cdde062301396b8a290fae411f6880f5e21797106a8cc0
SHA512

5843f58db3d6f9fc405782c0efb6da1711e1b04d2df058a3e48af940a1e41c88f31dfc05aca81f700f31c198b950569354c302d386d85f01be9fbcd9e2cd435d
SSDEEP

12288:GaP289zSSGTqTaTLlyF3Z4mxxmi+/5cWNOO7scapBQM2zqAlnvb5r6AG9GT6kEsz:DP28FETqT2AQmXcjgNtdAj5hrOJRU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3052	temp.exe
1268	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe
2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	temp.exe
File created	C:\Windows\Hacker.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0196000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a\WpadDecision = "0"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a\WpadDecisionTime = 700f3e5516fada01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a\WpadDetectedUrl	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\WpadDecisionTime = 708c8f8616fada01	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\9e-43-22-e8-e9-4a	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0196000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-43-22-e8-e9-4a\WpadDecisionTime = 708c8f8616fada01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452F0236-2293-4B4E-8D0D-C38F0F9F7A61}\WpadDecisionTime = 700f3e5516fada01	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	temp.exe
Token: SeDebugPrivilege	1268	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3052	2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe	30
PID 2876 wrote to memory of 3052	2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe	30
PID 2876 wrote to memory of 3052	2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe	30
PID 2876 wrote to memory of 3052	2876	c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe	30
PID 1268 wrote to memory of 2688	1268	Hacker.com.cn.exe	32
PID 1268 wrote to memory of 2688	1268	Hacker.com.cn.exe	32
PID 1268 wrote to memory of 2688	1268	Hacker.com.cn.exe	32
PID 1268 wrote to memory of 2688	1268	Hacker.com.cn.exe	32
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33
PID 3052 wrote to memory of 2188	3052	temp.exe	33

C:\Users\Admin\AppData\Local\Temp\c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8e562e23328ec9f93e7e1f8f0c96d72_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
276KB

MD5
892e616994cb2f359d24e0092371c962

SHA1
66943904833bac933033f413acda1ebf604c302c

SHA256
f51123298b9960400f8bdf1bfa622bd871d2c909855e6511ea3af5305c13b2c2

SHA512
a73389b426d68dc638291175218c8571014297973c43cbf5a7d44c5dd680c233ed8ffa60dacd283c52baf62c630e3dc86d7d0ad45513a50a75ee99609870b542

Download Submit
memory/1268-86-0x0000000000400000-0x00000000004D4006-memory.dmp

Filesize
848KB

Download
memory/1268-90-0x0000000000400000-0x00000000004D4006-memory.dmp

Filesize
848KB

Download
memory/2876-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2876-1-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2876-2-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2876-9-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-8-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2876-7-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2876-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2876-4-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2876-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2876-10-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-33-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2876-46-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2876-45-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2876-44-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-43-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2876-42-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2876-41-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2876-40-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2876-39-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2876-38-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2876-37-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2876-36-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2876-35-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2876-34-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2876-32-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2876-31-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2876-30-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-29-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-28-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-27-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-26-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-25-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-24-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-23-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-22-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-21-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-20-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-19-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-18-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-17-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-16-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-15-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-14-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-13-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-12-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-11-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2876-48-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-49-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-47-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2876-51-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2876-50-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-55-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2876-54-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-53-0x0000000003120000-0x0000000003122000-memory.dmp

Filesize
8KB

Download
memory/2876-52-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-59-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2876-58-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2876-57-0x0000000003110000-0x0000000003114000-memory.dmp

Filesize
16KB

Download
memory/2876-56-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2876-71-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2876-70-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/3052-84-0x0000000000400000-0x00000000004D4006-memory.dmp

Filesize
848KB

Download