Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe
-
Size
335KB
-
MD5
06bf28afb24066ddb543d633e4bc441b
-
SHA1
dca692fb1b0752a53c9c31bdea7c8e9e004e9d37
-
SHA256
0a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239
-
SHA512
a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9
-
SSDEEP
6144:DBj6B6kP/KRvA9HmNR92bIjLxPTYra385tnDzeO+SsZPqXhEWw3g/r3IDhIDsWCx:s6kPIA9mR9jXZkznXL+C7l/fIX6cgD0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5024 Hacker.com.cn.exe -
Loads dropped DLL 4 IoCs
pid Process 5024 Hacker.com.cn.exe 5024 Hacker.com.cn.exe 5024 Hacker.com.cn.exe 5024 Hacker.com.cn.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\uninstal.bat 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe File created C:\Windows\QPOOUM.DAT 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe File created C:\Windows\MYISDX.DAT 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe File created C:\Windows\HXCVUD.DAT 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe File created C:\Windows\Hacker.com.cn.exe 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5024 Hacker.com.cn.exe 5024 Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1384 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe Token: SeDebugPrivilege 5024 Hacker.com.cn.exe Token: SeAssignPrimaryTokenPrivilege 5024 Hacker.com.cn.exe Token: SeIncreaseQuotaPrivilege 5024 Hacker.com.cn.exe Token: SeSecurityPrivilege 5024 Hacker.com.cn.exe Token: SeTakeOwnershipPrivilege 5024 Hacker.com.cn.exe Token: SeLoadDriverPrivilege 5024 Hacker.com.cn.exe Token: SeSystemtimePrivilege 5024 Hacker.com.cn.exe Token: SeShutdownPrivilege 5024 Hacker.com.cn.exe Token: SeSystemEnvironmentPrivilege 5024 Hacker.com.cn.exe Token: SeUndockPrivilege 5024 Hacker.com.cn.exe Token: SeManageVolumePrivilege 5024 Hacker.com.cn.exe Token: SeDebugPrivilege 5024 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5024 Hacker.com.cn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5024 Hacker.com.cn.exe 5024 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5024 wrote to memory of 2744 5024 Hacker.com.cn.exe 90 PID 5024 wrote to memory of 2744 5024 Hacker.com.cn.exe 90 PID 1384 wrote to memory of 3404 1384 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe 91 PID 1384 wrote to memory of 3404 1384 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe 91 PID 1384 wrote to memory of 3404 1384 06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06bf28afb24066ddb543d633e4bc441b_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵
- System Location Discovery: System Language Discovery
PID:3404
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:81⤵PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5de0c533b3e727cfab6d5f5418c159423
SHA19bf855b87c43405ff7cba13541d5fe4656a59463
SHA256bd3daf8b7f8de13aec1438e59d50b09af45eeab17cd0eed7424a4c9b3122150b
SHA512c33da4186a46553f1c7621220826f091e204715e58c83bcc93cd3fe2116e974615d2a424cd3d073e8f066b3f9dcfff50fa8bca28b17bb968cb85ced899ae8405
-
Filesize
335KB
MD506bf28afb24066ddb543d633e4bc441b
SHA1dca692fb1b0752a53c9c31bdea7c8e9e004e9d37
SHA2560a33e02c2cf35dc3d2a7404bebcc20080fe00876b92509464ba64302ae3d5239
SHA512a21df423a6c18cb1662eef28619886eff08d53c63ce180ca9313fbf9aa5a2adb632178035e530a26519877b5897fc32b07a13bbb5ef0d4bb522d0c77f67e40e9
-
Filesize
122KB
MD569c410f159553e56ab5a3d94784e26c9
SHA14106505d1666d99c923d94072e8ca80142027b66
SHA256d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f
SHA5128a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994
-
Filesize
51KB
MD5d58f992c53515c9f1fb9394a46f4cb48
SHA11f9909d227b93be10328e0abc64052da984657ba
SHA25650c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040
SHA5123a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94
-
Filesize
218B
MD5075f7ddc1df7955a4cedd17fb34cbd4b
SHA1178c2e53fc18a8bd56ac8612db8d512dbe1f464a
SHA256fc40a901b8dd4ef3c9a45c4e3396382bd42359e58b992244776d5cc88098d56c
SHA512fce912ea908f23817f7526d5d3e87b9856640dd7db29a3d9d4f6451d173e7ae881477dbc9f34e619b39928deb7764a5efd8f0d880ede9d5fb107983f91cead0c