c475fed2f6ba0ac3c67cf84d39fe08956bd72be6857a6f5d047949c46119e44c

General

Target

JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
Size

24KB
MD5

98e3d2086ee5c43d9faf801af4a7cbdb
SHA1

826fd0cee8ae48bf3ec914208fb7e49e773403d8
SHA256

c475fed2f6ba0ac3c67cf84d39fe08956bd72be6857a6f5d047949c46119e44c
SHA512

10bcd7590cec8f1a7f92fa9bd0f0008813aa77ba66c662013b046af5ab4d74a2ea58dc4dc51ba87a8078bfd5620d43d50c2e4e5a06a443aa9f4671cc9dcab155
SSDEEP

384:Pp6CE6rdOhM0qufXwxZsN/YYj5BTMkUMpM1dUr2RqTwleANiW8T/7cE4:hbdOhM0TfgjsRYmNMuwRRqTxNrP

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-b1gf-14d0-89bb-0090ce808666}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-b1gf-14d0-89bb-0090ce808666}\StubPath = "C:\\WINDOWS\\system32\\mhzx.bat"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
1304	gameclien.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\mhzx.bat	gameclien.exe
File created	C:\WINDOWS\SysWOW64\mhzx.reg	gameclien.exe
File created	C:\WINDOWS\SysWOW64\mhzxin.bat	gameclien.exe
File created	C:\WINDOWS\SysWOW64\sougou.ime	gameclien.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5476-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/5476-4-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x000800000002424a-7.dat	upx
behavioral2/memory/1304-22-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WLmhzx\gameclien.exe	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
File opened for modification	C:\Program Files\WLmhzx\gameclien.exe	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
File created	C:\Program Files\WLmhzx\jietu.exe	gameclien.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameclien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3748	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5476	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
5476	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
1304	gameclien.exe
1304	gameclien.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5476 wrote to memory of 6032	5476	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe	85
PID 5476 wrote to memory of 6032	5476	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe	85
PID 5476 wrote to memory of 6032	5476	JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe	85
PID 6032 wrote to memory of 1304	6032	cmd.exe	87
PID 6032 wrote to memory of 1304	6032	cmd.exe	87
PID 6032 wrote to memory of 1304	6032	cmd.exe	87
PID 1304 wrote to memory of 4204	1304	gameclien.exe	88
PID 1304 wrote to memory of 4204	1304	gameclien.exe	88
PID 1304 wrote to memory of 4204	1304	gameclien.exe	88
PID 4204 wrote to memory of 3748	4204	cmd.exe	90
PID 4204 wrote to memory of 3748	4204	cmd.exe	90
PID 4204 wrote to memory of 3748	4204	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98e3d2086ee5c43d9faf801af4a7cbdb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6032
- - C:\Program Files\WLmhzx\gameclien.exe
    "C:\Program Files\WLmhzx\gameclien.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\mhzxin.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit.exe /s mhzx.reg
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WLmhzx\gameclien.exe

Filesize
24KB

MD5
98e3d2086ee5c43d9faf801af4a7cbdb

SHA1
826fd0cee8ae48bf3ec914208fb7e49e773403d8

SHA256
c475fed2f6ba0ac3c67cf84d39fe08956bd72be6857a6f5d047949c46119e44c

SHA512
10bcd7590cec8f1a7f92fa9bd0f0008813aa77ba66c662013b046af5ab4d74a2ea58dc4dc51ba87a8078bfd5620d43d50c2e4e5a06a443aa9f4671cc9dcab155

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
192B

MD5
0c018c557a2f3e38ba6f8abd7a6ab654

SHA1
29f8a3d566ca63eef56e34b1da883c662ec15b63

SHA256
443ede70b2034e790afa0fd6f57d3ee115a3e6ea94e52223a67ad3d4532f31e9

SHA512
dc723214ad4497ac3b0588e46fdef409516bdde28a1a447f3668892433eb500ffb6dc0e46e8573c055962f1f733a53ef69be7153a6fe6d07d3fa123b0892aa0a

Download Submit
C:\WINDOWS\SysWOW64\mhzxin.bat

Filesize
23B

MD5
40ad273cddf8d446a6970e58e36c861e

SHA1
0096494c0a50ee9404e151ba9b0f22d14bbc2a30

SHA256
061b674b67a39109110ee8ff1b00e16e722edc6e6a16e6cb3183091015ec4e97

SHA512
6aee175080408d992fc16ab260631696757670f0525dd56ae54994b08e63a6858d496a70241a84ea859d7a05ceab5acadea3880926af7052c7652755bdb03edf

Download Submit
C:\Windows\SysWOW64\mhzx.reg

Filesize
312B

MD5
f0e79459e4b4ffcc8cb8b3e718fac9ff

SHA1
723bc34d7fad62fc56920d77f0a58fabe57ce049

SHA256
5c665746ab27624fa6b072e04aec98c0ffd8d78bdfa1efd67eeff92dce8dcb66

SHA512
f8e394b54f0bb81be13db5b07543bb21372b461ee02499fb58f60b8216f6b24b8ad27381f7a494e67e7c4c31d285dfdfbb5cb89b604819351626e3a05c36d2ad

Download Submit
C:\Windows\SysWOW64\sougou.ime

Filesize
36KB

MD5
b246f8da3f34c2b59e1ba8f147c7001b

SHA1
4294f29b4a2dcc4561dad6209f3ffa0a00b22e41

SHA256
cf93ff1f3a924712706fd9e9539a1be1ec173121ef5a8d9aad8489fb8acf7786

SHA512
b8535b431413dbbd22182d69fdef3bb42e0105eb7938eef066be995848a061c27d57e8086523e9335237d723ee34fe41f76787d2effd105885122b6f7feba250

Download Submit
memory/1304-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5476-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5476-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads