c4fa07a33e2dd31a5aec11e496bdac73c798db1ff908af61904eabc1cbabe98e

General

Target

0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
Size

653KB
MD5

0c2e11f6da33df217615d6c51bf3902e
SHA1

d32680e5484e8cf8fbea8ab34f5505419d04fb24
SHA256

c4fa07a33e2dd31a5aec11e496bdac73c798db1ff908af61904eabc1cbabe98e
SHA512

c615bfb2dc4675298d9859ada5bbfb420067aa749219c59bd835a6fff7e52f3fc36bcf42f1c3cbeafe23a62414ffbfaf9653ecc26bb6cd2be230b4a5158b8c57
SSDEEP

12288:uBksr9TNrsGvOYrXJNycqohcmF3Z4mxxqoEtlK+kt9T2Me5:uBku5NdGY7JEcqmQmXjGb5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4996	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
Token: SeDebugPrivilege	4996	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4996	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4536	2948	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe	83
PID 2948 wrote to memory of 4536	2948	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe	83
PID 2948 wrote to memory of 4536	2948	0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c2e11f6da33df217615d6c51bf3902e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4536

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
653KB

MD5
0c2e11f6da33df217615d6c51bf3902e

SHA1
d32680e5484e8cf8fbea8ab34f5505419d04fb24

SHA256
c4fa07a33e2dd31a5aec11e496bdac73c798db1ff908af61904eabc1cbabe98e

SHA512
c615bfb2dc4675298d9859ada5bbfb420067aa749219c59bd835a6fff7e52f3fc36bcf42f1c3cbeafe23a62414ffbfaf9653ecc26bb6cd2be230b4a5158b8c57

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
246a3960025f7f8f1859db0b077b706b

SHA1
9645b1ca2896d3d8d644d93fae6f98d82cf5da82

SHA256
4ee500df7b1aeea8dce46e1eaf28b91e10f4fbaa04682a57976e0333fa55c4b2

SHA512
dfad28ea88361e1f9249236aa166c8dc71bfea32adc62bc790b8581a4fea78587a8e59bf76a39c554b5b49172133e8a5f5df345d8876b13e4e8ed1feecc9a38f

Download Submit
memory/2948-9-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2948-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2948-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2948-10-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2948-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2948-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2948-6-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2948-2-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2948-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2948-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/2948-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2948-17-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2948-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2948-15-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2948-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2948-24-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2948-25-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/2948-1-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/4996-27-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4996-31-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing