e2c675fcb9fa7d6818812a6ca1c4c9db23b4710c6872532020c916481044efcd

General

Target

c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
Size

320KB
MD5

c938e691e37c249f4f75bfd7c056c8ba
SHA1

8aa0f93fbb08e9681a9b3061b2448edea8edf350
SHA256

e2c675fcb9fa7d6818812a6ca1c4c9db23b4710c6872532020c916481044efcd
SHA512

5734004360948ec91aba05facf9113cc1f696980ea9f240466120b1cc67170257df19af26f3fda8477ac68373c029fbaaa0761d08f7192e6a93cda57e7546a08
SSDEEP

6144:MVa7S2FKatIbN/OqfGTXHPNf5agFM4DteddBVJyOOA:MMXm/wFf55FrDteBbuA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3316	cmdno.exe
3404	Hacker.com.cn.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000001e556-4.dat	upx
behavioral2/memory/3316-5-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/3316-16-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/3404-18-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\cmdno.exe	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	cmdno.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	cmdno.exe
File opened for modification	\??\c:\windows\cmdno.exe	cmdno.exe
File created	C:\Windows\uninstal.bat	cmdno.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
Token: SeDebugPrivilege	3316	cmdno.exe
Token: SeDebugPrivilege	3404	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3404	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3316	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe	91
PID 3972 wrote to memory of 3316	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe	91
PID 3972 wrote to memory of 3316	3972	c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe	91
PID 3316 wrote to memory of 4324	3316	cmdno.exe	94
PID 3316 wrote to memory of 4324	3316	cmdno.exe	94
PID 3316 wrote to memory of 4324	3316	cmdno.exe	94
PID 3404 wrote to memory of 2104	3404	Hacker.com.cn.exe	93
PID 3404 wrote to memory of 2104	3404	Hacker.com.cn.exe	93

C:\Users\Admin\AppData\Local\Temp\c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c938e691e37c249f4f75bfd7c056c8ba_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972
- \??\c:\windows\cmdno.exe
  c:\windows\cmdno.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv UyvuhwjDAky5AuAC6VrpiQ.0
1⤵
PID:2120

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmdno.exe

Filesize
295KB

MD5
d2cffcfe24646c79e47ab434d3c8e8c1

SHA1
1ddb75fdb962ce95f439b6d1f0a0a2d0e06f3399

SHA256
053cc69cb09ee8ef858bfcd718e56bcccf517a4c39449082befca470a67a47e9

SHA512
00e1543c38c84c215b67b668542b593ec860f9e9ff7a935cc24dab4fb7f8238f6966381d808ed320518bfe450df1f26d62edd5e82fa9860b61c0b9144cebb0b3

Download Submit
C:\Windows\uninstal.bat

Filesize
90B

MD5
e3d685005cdc3204eccc9d54e7d87682

SHA1
e2d6e07fc625025dade4b5ac53427b7185095289

SHA256
56f9aec24a1d089a4687775f363609c0b7c6e8d4fde5f76fd301ac425d3c1475

SHA512
07a7756d9e937f50e1a6c1b96ad8a9547585801fe6e5013526c809999ac06585274a7b2c4291fe85f69cd5b1eff0649be050b32aa652a20ab2a8c9e4980dc602

Download Submit
memory/3316-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3316-7-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3316-16-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3404-12-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3404-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3404-20-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing