2d3c01897f4e4a68e9646b1c5934564ccab796c7f9af7861555b2cd7ddc913e1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
Size

11KB
MD5

f7e99bd8d6b7cd498d755bf6d9c1ed1c
SHA1

1e17f74cf25f1658432087d8cb06938aa2bcd43b
SHA256

2d3c01897f4e4a68e9646b1c5934564ccab796c7f9af7861555b2cd7ddc913e1
SHA512

f9cc562475abc7b4699f3de5d09794145f01978c12c869c8aa36c6245b26226ac426831057eb4999de1b45f89c3e5be883402d3ff9308f856d14c2673363a00a
SSDEEP

192:t+WK5/23EzxMiQCibo9xaD7pzfqYBJKOEDHxmpuAvqxH+OI+prD3omnmx+hQp0:t+WK5kEYmaHpzfqYBJKOEDRmMAOH+OZF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	darkshell.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	WScript.exe
2040	WScript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\darkshell.exe	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\darkshell.exe	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ds.vbs	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\darkshell.exe	darkshell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	darkshell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2040	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2040	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2040	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2040	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2860	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2860	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2860	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2860	2276	f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe	29
PID 2040 wrote to memory of 2656	2040	WScript.exe	30
PID 2040 wrote to memory of 2656	2040	WScript.exe	30
PID 2040 wrote to memory of 2656	2040	WScript.exe	30
PID 2040 wrote to memory of 2656	2040	WScript.exe	30
PID 2656 wrote to memory of 2688	2656	darkshell.exe	31
PID 2656 wrote to memory of 2688	2656	darkshell.exe	31
PID 2656 wrote to memory of 2688	2656	darkshell.exe	31
PID 2656 wrote to memory of 2688	2656	darkshell.exe	31

C:\Users\Admin\AppData\Local\Temp\f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7e99bd8d6b7cd498d755bf6d9c1ed1c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\ds.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\darkshell.exe
    "C:\Windows\system32\darkshell.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\DARKSH~1.EXE > nul
      4⤵
      PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F7E99B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\darkshell.exe

Filesize
11KB

MD5
f7e99bd8d6b7cd498d755bf6d9c1ed1c

SHA1
1e17f74cf25f1658432087d8cb06938aa2bcd43b

SHA256
2d3c01897f4e4a68e9646b1c5934564ccab796c7f9af7861555b2cd7ddc913e1

SHA512
f9cc562475abc7b4699f3de5d09794145f01978c12c869c8aa36c6245b26226ac426831057eb4999de1b45f89c3e5be883402d3ff9308f856d14c2673363a00a

Download Submit
C:\Windows\SysWOW64\ds.vbs

Filesize
91B

MD5
d39e30a788423b5efd1c4df797b6200a

SHA1
9e995fa5cb085c3a52a22c3c6a8701c133516a0b

SHA256
4dfb35e58668c56520d037b0239885ed6f0f40c5ed7e5c4adae520453faa23aa

SHA512
75b095a085db644057490a477284a6c91357b9b58e34b742c3b35ab859b64172ec7c9781d8c12f6d0333b675c51ed5c96f6aca96dfa4e85820d51bab3330ed8a

Download Submit
memory/2040-10-0x00000000029F0000-0x00000000029FA000-memory.dmp

Filesize
40KB

Download
memory/2276-0-0x0000000000400000-0x000000000040903E-memory.dmp

Filesize
36KB

Download
memory/2276-6-0x0000000000400000-0x000000000040903E-memory.dmp

Filesize
36KB

Download
memory/2656-13-0x0000000000400000-0x000000000040903E-memory.dmp

Filesize
36KB

Download