24f10a772cce9baca2711218b0eb405bc625f436196d6ecd6df03466e99deb87

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 10:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe
Size

616KB
MD5

d4242ed013ba342f39c6c774591c3806
SHA1

c88da4f68fcd478fe2a36e2f6c9dd6d9c887821a
SHA256

24f10a772cce9baca2711218b0eb405bc625f436196d6ecd6df03466e99deb87
SHA512

9d5b8a5cb39fc27a74a17844d3bb8cbd695ec46e1d65d850ffb6ed299d228c0e79eb1256f32b8d07d9fe699a6fda41aee48f442290a7573b63ac6e68303e1aba
SSDEEP

12288:4F2JSwP7fztB7FJGxEBiIntoFEL6BOaI4H4ob2f7a4yvQysomMDYt:4e9PLztj5BiYtoVO84QS7frZt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	Hacker.com.cn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2344	4928	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe	88
PID 4928 wrote to memory of 2344	4928	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe	88
PID 4928 wrote to memory of 2344	4928	d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4242ed013ba342f39c6c774591c3806_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

Filesize
616KB

MD5
d4242ed013ba342f39c6c774591c3806

SHA1
c88da4f68fcd478fe2a36e2f6c9dd6d9c887821a

SHA256
24f10a772cce9baca2711218b0eb405bc625f436196d6ecd6df03466e99deb87

SHA512
9d5b8a5cb39fc27a74a17844d3bb8cbd695ec46e1d65d850ffb6ed299d228c0e79eb1256f32b8d07d9fe699a6fda41aee48f442290a7573b63ac6e68303e1aba

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
cb670c81c18bb04c2206b78035951fa0

SHA1
3575740906f0b8830ef20a3ccc22e5d790ea689f

SHA256
629c0b37bf1029162b01e2b7dfbab97d33d30dfd67ad4d27f3cc75914fd64347

SHA512
299caba4a6d2ae527f9fb66620cfbfc64b02eaa217b8d3901103cc0c0696c4e67324132e8487f06df075e5f5bd9c9140ccaaa0a8c7a5d2087c6ae46ad5f80968

Download Submit
memory/1932-82-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4928-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4928-1-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4928-2-0x0000000000790000-0x00000000007E4000-memory.dmp

Filesize
336KB

Download
memory/4928-12-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-34-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-72-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-71-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-70-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-69-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-68-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-15-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-67-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-66-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-65-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-64-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-63-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-62-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-61-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-60-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-59-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-58-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-57-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-56-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-55-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-54-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-53-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-52-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-51-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-50-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-49-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-48-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-47-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-46-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-45-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-44-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-43-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-42-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-41-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-40-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-39-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-38-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-37-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-36-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-35-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-33-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-32-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-31-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-30-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-29-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-28-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-27-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-26-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-25-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-24-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-23-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-22-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-21-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4928-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4928-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4928-18-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4928-17-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-16-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-14-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-10-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4928-9-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4928-8-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4928-7-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4928-6-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4928-5-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4928-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4928-13-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4928-11-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4928-3-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4928-79-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4928-80-0x0000000000790000-0x00000000007E4000-memory.dmp

Filesize
336KB

Download