de9e41a03f8b0f96de181c04aad11730e01b0cce78d01baab5a20d1b85ebcfa6

General

Target

451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe
Size

637KB
MD5

451c572fb41ab89791193064bc3ef582
SHA1

0d25f10e04b7f2a31a035d8cd4ce43102c044c22
SHA256

de9e41a03f8b0f96de181c04aad11730e01b0cce78d01baab5a20d1b85ebcfa6
SHA512

8a0ba520146873f88addb5b65d3f49193774b4a8e4bfff402aa557c43a1fdd875071e0c1edf3fb6728fe8a5edc01f0cc113da1b05a5b38eeb40457f05fd2d0eb
SSDEEP

12288:9pZuNEq5KAUOtmHLYz9ccdWTbaT/dLFLchyDhy91c2obY7XJiXe2GOU/Fi:7oNx0XOt2LA9//dLFLBM5ocjzOU9i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1364	4.exe
3004	Hacker.com.cn.i

Loads dropped DLL 2 IoCs

pid	Process
2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe
2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.i	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.i	4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.i

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	4.exe
Token: SeDebugPrivilege	3004	Hacker.com.cn.i

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	Hacker.com.cn.i

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1364	2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1364	2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1364	2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1364	2264	451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2636	3004	Hacker.com.cn.i	32
PID 3004 wrote to memory of 2636	3004	Hacker.com.cn.i	32
PID 3004 wrote to memory of 2636	3004	Hacker.com.cn.i	32
PID 3004 wrote to memory of 2636	3004	Hacker.com.cn.i	32

C:\Users\Admin\AppData\Local\Temp\451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\451c572fb41ab89791193064bc3ef582_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

C:\Windows\Hacker.com.cn.i
C:\Windows\Hacker.com.cn.i
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
788KB

MD5
c352087d3caeef153d2aa531261d17ec

SHA1
96b6de0d1ff4283f0fa7d57e519c24a88bd8712e

SHA256
a40f3c447cfe44a03fc45b8fdc2989b3d8c95eebd1d574896f164eaa69ae1fba

SHA512
8a8dced9809e828bbef6489e65a52824bba3a79c3bae21da67d7511237f563c5f94f08fedc3c4317fcbadbbdd04dbd715d0e8f2fe078fa4b00b0a9717a159925

Download Submit
memory/1364-46-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/1364-37-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2264-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-14-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-19-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-5-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2264-17-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-16-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2264-4-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2264-13-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-12-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-11-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-10-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2264-9-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2264-3-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2264-7-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2264-6-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2264-18-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-20-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-8-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2264-2-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2264-25-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2264-24-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2264-23-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2264-21-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-22-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2264-36-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2264-35-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2264-42-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/2264-49-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/2264-48-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2264-0-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/3004-43-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/3004-50-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads