995d47356ca2096dbd2625c155a9d18e3a82d33ab22043d06aa3e1fdf15269e7

General

Target

27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
Size

141KB
MD5

27eaa7f3bf0d6b77dff6797e3d621041
SHA1

15de7b64166130a7ee2a7a937e629f66f18f0aa5
SHA256

995d47356ca2096dbd2625c155a9d18e3a82d33ab22043d06aa3e1fdf15269e7
SHA512

a0a2ef98bd495cfb4348a43a36d2755cffc68ef5ceff8b0740934b359bc94330fd6f39b73fc15e9e374d87fc0ed90e93b9212b99ad95a06998059dead246f7d1
SSDEEP

3072:e4tWMJJh6fryYP/daqh8iJkZyrV9coUOI+cs3mSxlsW:ecWMJJhqryYP/daqh5JgyrV9ckIts3xp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	haozip.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002c00000001866f-11.dat	upx
behavioral1/memory/2320-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2320-44-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\movie.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\mm.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\Thunder\ComDlls\1143\bubhlq.exe	haozip.exe
File opened for modification	C:\Program Files\game.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\MUI\iexplore.exe	haozip.exe
File opened for modification	C:\Program Files\Thunder\ComDlls	haozip.exe
File created	C:\Program Files\Thunder\ComDlls\1143\mm.ico	haozip.exe
File opened for modification	C:\Program Files\mm.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\game.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\Thunder\ComDlls\1143\game.ico	haozip.exe
File created	C:\Program Files\Thunder\ComDlls\1143\movie.ico	haozip.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_259475043	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\haozip.exe	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File opened for modification	C:\Program Files\haozip.exe	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File opened for modification	C:\Program Files\taobao.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File created	C:\Program Files\Thunder\ComDlls\1143\taobao.ico	haozip.exe
File created	C:\Program Files\taobao.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File opened for modification	C:\Program Files\movie.ico	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\MUI\iexplore.exe	haozip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	haozip.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\DefaultIcon	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell\OpenHomePage\ = "´ò¿ªÖ÷Ò³(&H)"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\ShellFolder\ = "HideOnDesktopPerUser"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4\ = "msm4file"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\IsShortcut	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\MUI\\iexplore.exe %1 http://www.82vv.com/tb/?desk"	haozip.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\ShellFolder\Attributes = "0"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\LocalizedString = "ÌÔ±¦Íø£\u00ad³¬ÖµÈÈÂô"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ = "¿ì½Ý·½Ê½"	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command\ = "\"C:\\Program Files\\Thunder\\ComDlls\\1143\\bubhlq.exe\" \"%1\""	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\ = "open"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\NeverShowExt	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell\ = "OpenHomePage"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\MUI\\cwugn.ico"	haozip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers\	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell\OpenHomePage	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\ShellFolder	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers	haozip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46E512B-E2AC-4901-97C2-3A35910C0256}\shell\OpenHomePage\Command	haozip.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2320	2736	27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27eaa7f3bf0d6b77dff6797e3d621041_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\haozip.exe
  "C:\Program Files\haozip.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\game.ico

Filesize
14KB

MD5
173d5c23af9b3a269eb19b1c7426e7d2

SHA1
47bab303b6880ddbecd3c138fedf028449150f85

SHA256
55e846ccb820e699dc0dff83931a78b4ce6ba8489be1b13aad2c062d3452e9ff

SHA512
8b123a7412208ee1786cdffea25afdfa61216ca290cf724489b990a423886e155afe642d42c6c2fa14a254437ee9e0b473a15aa0313e871d04426d888058ba4a

Download Submit
C:\Program Files\mm.ico

Filesize
9KB

MD5
c6b53df7e7006fc1ce1bfd8a57cc5dd4

SHA1
06ea81ea5758b4d5ae700edaf6aaacbcd834b86e

SHA256
82d3aefca8e69aaa86145495e8fd711070d694fd29f31bc3a1cd4c13abc26a66

SHA512
f5296f215aaac7149f8ab7d80a425263f057fc592f8356dd36f9ac228bde87371b6a1e4ddc974722227634f96cade4e097565659da6b549e51ccedd74bdbef57

Download Submit
C:\Program Files\movie.ico

Filesize
31KB

MD5
6ba5cc22c72b2fc4af1aad1bd163f7b2

SHA1
698566566c63f062fd08b471f96a44cce0238761

SHA256
c0ce5d64b3a16687ad373486d668de244fac5f8adcce676206f0da27ff3a76f1

SHA512
f849277bf27b04922f0a82effec32801f7b734b809f4968759397c3d3cff14aae4e760482c2bb62ebfa93163e01aac8bac9e3a5cd5fafbc77c1b54a64755543b

Download Submit
C:\Program Files\taobao.ico

Filesize
2KB

MD5
d77877537a5527e65aa9c34862c6b1e4

SHA1
4811c789b60dc8c25fcee1fa1e7b8a030c44c4eb

SHA256
0054c05f60ce75be1e31059a973f3f72544cdeaebab3f74eb446f78fa08f0493

SHA512
fd5a7c4f2a413d7291e00722f97a76aa7e37df0c3ffb86d54c1ac58e595d91ba08fc2c8c66ed74e20b4e873983e233112ff1859289370ef81ee05be7eea4a3d4

Download Submit
\Program Files\haozip.exe

Filesize
34KB

MD5
25af9eba7330680fc18e71d3d2202f9f

SHA1
c97b1e910f22df1c9947c78804037c212c169062

SHA256
331e967e336c8997e1daf9b86a17c45e6ac76ec03ff97ebe74026efc61467674

SHA512
b128f8c62b5a3da8e852b3ba04d0aca9e3fdfe44fe6a414714c3770e6261376fe7aacf0d1aaecf3a2639bdb951aa86803e1f781b2494cced86d9c2fb75b3eb7f

Download Submit
memory/2320-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2320-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2736-18-0x0000000002310000-0x000000000232C000-memory.dmp

Filesize
112KB

Download
memory/2736-17-0x0000000002310000-0x000000000232C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing