e589eed17b4b9079f91323f0c1e3b6057a91df3518d30c02a1a446ac38ff45be

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe
Size

398KB
MD5

d1afb5a6125831beb4d89b2720f93cf8
SHA1

f16ebfded9960089ead26e543e392bf6b2c8d410
SHA256

e589eed17b4b9079f91323f0c1e3b6057a91df3518d30c02a1a446ac38ff45be
SHA512

0ba87f825cae136ce11a53e17dfa19f2805e1814ef037112f43eb74c63a06e579542c10229760d468a333f684704445ad618f5ffe3951d559e80816ff6a929f9
SSDEEP

12288:f8/ivee/lhpysiKOrP46+vIRQLMDiOr2Fdk:f2i2e/lHZi3rg6+ZLFOrS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	Hacker.com.cn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe
File created	C:\Windows\Hacker.com.cn.exe	d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	2696	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe
Token: SeDebugPrivilege	2696	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2704	2696	Hacker.com.cn.exe	31
PID 2696 wrote to memory of 2704	2696	Hacker.com.cn.exe	31
PID 2696 wrote to memory of 2704	2696	Hacker.com.cn.exe	31
PID 2696 wrote to memory of 2704	2696	Hacker.com.cn.exe	31

C:\Users\Admin\AppData\Local\Temp\d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1afb5a6125831beb4d89b2720f93cf8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 336
  2⤵
  - Program crash
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
398KB

MD5
d1afb5a6125831beb4d89b2720f93cf8

SHA1
f16ebfded9960089ead26e543e392bf6b2c8d410

SHA256
e589eed17b4b9079f91323f0c1e3b6057a91df3518d30c02a1a446ac38ff45be

SHA512
0ba87f825cae136ce11a53e17dfa19f2805e1814ef037112f43eb74c63a06e579542c10229760d468a333f684704445ad618f5ffe3951d559e80816ff6a929f9

Download Submit
memory/1960-4-0x00000000004C2000-0x00000000004C3000-memory.dmp

Filesize
4KB

Download
memory/1960-3-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1960-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1960-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1960-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1960-5-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1960-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2696-9-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2696-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2696-15-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2696-16-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download