Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe
-
Size
743KB
-
MD5
d232de18a894964d856bc500e0385cf6
-
SHA1
73544af3bfba885c9ab6045a9b7ab98b7542012d
-
SHA256
35c4637b3834651018d2f2c55320eb3a5abe59dfd05425905eae7aab1a927d4e
-
SHA512
764ce6a41d1b9c1b78a208083b3ffcb0f479525c89532031e47dff1a15edea311b2a94b83cd5976eb83ec83a21ba58c1a9ea578dbf92d1683f30f6b04338b82d
-
SSDEEP
12288:oJy8S+2U4u/n/80dW5A0zy26JwQ5oAlK+GXnv5TIkAbQQ52LYRg08y5rfRki:gBEU4ufxdW5A2sJr/khnvZIkA33D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4060 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe File created C:\Windows\uninstal.BAT d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4668 d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe Token: SeDebugPrivilege 4060 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4060 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4060 wrote to memory of 216 4060 Hacker.com.cn.exe 87 PID 4060 wrote to memory of 216 4060 Hacker.com.cn.exe 87 PID 4668 wrote to memory of 1196 4668 d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe 89 PID 4668 wrote to memory of 1196 4668 d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe 89 PID 4668 wrote to memory of 1196 4668 d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d232de18a894964d856bc500e0385cf6_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.BAT2⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743KB
MD5d232de18a894964d856bc500e0385cf6
SHA173544af3bfba885c9ab6045a9b7ab98b7542012d
SHA25635c4637b3834651018d2f2c55320eb3a5abe59dfd05425905eae7aab1a927d4e
SHA512764ce6a41d1b9c1b78a208083b3ffcb0f479525c89532031e47dff1a15edea311b2a94b83cd5976eb83ec83a21ba58c1a9ea578dbf92d1683f30f6b04338b82d
-
Filesize
218B
MD520831b8b7259db8df3b16759f298e0c1
SHA183bec10ff9b66c5e53b1444bf99f61644fc9594c
SHA256b813777da47f1a80135f77a0a589e723631c64c92a2a26788be448fe402f6ab9
SHA512ea25194ccbc0c351b1c3812f585ee95eb67348b8cf14f2dad8ffc20c39ab723143db26889dced6889be42adb570b8766d1ec0e0a1df0e0586d9793d38e709770