209d00cf16ed8b48f92c8fce04455f2bdc1838425e2e20aadd7b75cb8a675cae

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe
Size

713KB
MD5

fa96eb1f455f31f04e4353d87ed67deb
SHA1

60bc8e5867312b2a0040823d1ba319c8438d2d97
SHA256

209d00cf16ed8b48f92c8fce04455f2bdc1838425e2e20aadd7b75cb8a675cae
SHA512

eef6190eb1cae46ee9049727353b673e388c0c4593ea86532c94e6fb8b5241461c46880cfbdb1d172214b71d4740a5ea0ce2c041ecf3fbbbc065f3533a6c009d
SSDEEP

12288:teuQrvpVn/In0DI23FyEkxjvpRdSYCNpHy5lYmOd9b30T7dtpfc8vy4hx6:te5LpBI0dyz9p7SbPsl2sT7dte86C6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	bedgegejed.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe
2260	fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
432	2760	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3288	wmic.exe
Token: SeSecurityPrivilege	3288	wmic.exe
Token: SeTakeOwnershipPrivilege	3288	wmic.exe
Token: SeLoadDriverPrivilege	3288	wmic.exe
Token: SeSystemProfilePrivilege	3288	wmic.exe
Token: SeSystemtimePrivilege	3288	wmic.exe
Token: SeProfSingleProcessPrivilege	3288	wmic.exe
Token: SeIncBasePriorityPrivilege	3288	wmic.exe
Token: SeCreatePagefilePrivilege	3288	wmic.exe
Token: SeBackupPrivilege	3288	wmic.exe
Token: SeRestorePrivilege	3288	wmic.exe
Token: SeShutdownPrivilege	3288	wmic.exe
Token: SeDebugPrivilege	3288	wmic.exe
Token: SeSystemEnvironmentPrivilege	3288	wmic.exe
Token: SeRemoteShutdownPrivilege	3288	wmic.exe
Token: SeUndockPrivilege	3288	wmic.exe
Token: SeManageVolumePrivilege	3288	wmic.exe
Token: 33	3288	wmic.exe
Token: 34	3288	wmic.exe
Token: 35	3288	wmic.exe
Token: 36	3288	wmic.exe
Token: SeIncreaseQuotaPrivilege	3288	wmic.exe
Token: SeSecurityPrivilege	3288	wmic.exe
Token: SeTakeOwnershipPrivilege	3288	wmic.exe
Token: SeLoadDriverPrivilege	3288	wmic.exe
Token: SeSystemProfilePrivilege	3288	wmic.exe
Token: SeSystemtimePrivilege	3288	wmic.exe
Token: SeProfSingleProcessPrivilege	3288	wmic.exe
Token: SeIncBasePriorityPrivilege	3288	wmic.exe
Token: SeCreatePagefilePrivilege	3288	wmic.exe
Token: SeBackupPrivilege	3288	wmic.exe
Token: SeRestorePrivilege	3288	wmic.exe
Token: SeShutdownPrivilege	3288	wmic.exe
Token: SeDebugPrivilege	3288	wmic.exe
Token: SeSystemEnvironmentPrivilege	3288	wmic.exe
Token: SeRemoteShutdownPrivilege	3288	wmic.exe
Token: SeUndockPrivilege	3288	wmic.exe
Token: SeManageVolumePrivilege	3288	wmic.exe
Token: 33	3288	wmic.exe
Token: 34	3288	wmic.exe
Token: 35	3288	wmic.exe
Token: 36	3288	wmic.exe
Token: SeIncreaseQuotaPrivilege	4608	wmic.exe
Token: SeSecurityPrivilege	4608	wmic.exe
Token: SeTakeOwnershipPrivilege	4608	wmic.exe
Token: SeLoadDriverPrivilege	4608	wmic.exe
Token: SeSystemProfilePrivilege	4608	wmic.exe
Token: SeSystemtimePrivilege	4608	wmic.exe
Token: SeProfSingleProcessPrivilege	4608	wmic.exe
Token: SeIncBasePriorityPrivilege	4608	wmic.exe
Token: SeCreatePagefilePrivilege	4608	wmic.exe
Token: SeBackupPrivilege	4608	wmic.exe
Token: SeRestorePrivilege	4608	wmic.exe
Token: SeShutdownPrivilege	4608	wmic.exe
Token: SeDebugPrivilege	4608	wmic.exe
Token: SeSystemEnvironmentPrivilege	4608	wmic.exe
Token: SeRemoteShutdownPrivilege	4608	wmic.exe
Token: SeUndockPrivilege	4608	wmic.exe
Token: SeManageVolumePrivilege	4608	wmic.exe
Token: 33	4608	wmic.exe
Token: 34	4608	wmic.exe
Token: 35	4608	wmic.exe
Token: 36	4608	wmic.exe
Token: SeIncreaseQuotaPrivilege	4608	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2760	2260	fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe	91
PID 2260 wrote to memory of 2760	2260	fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe	91
PID 2260 wrote to memory of 2760	2260	fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe	91
PID 2760 wrote to memory of 3288	2760	bedgegejed.exe	92
PID 2760 wrote to memory of 3288	2760	bedgegejed.exe	92
PID 2760 wrote to memory of 3288	2760	bedgegejed.exe	92
PID 2760 wrote to memory of 4608	2760	bedgegejed.exe	96
PID 2760 wrote to memory of 4608	2760	bedgegejed.exe	96
PID 2760 wrote to memory of 4608	2760	bedgegejed.exe	96
PID 2760 wrote to memory of 4640	2760	bedgegejed.exe	98
PID 2760 wrote to memory of 4640	2760	bedgegejed.exe	98
PID 2760 wrote to memory of 4640	2760	bedgegejed.exe	98
PID 2760 wrote to memory of 5932	2760	bedgegejed.exe	100
PID 2760 wrote to memory of 5932	2760	bedgegejed.exe	100
PID 2760 wrote to memory of 5932	2760	bedgegejed.exe	100
PID 2760 wrote to memory of 5500	2760	bedgegejed.exe	102
PID 2760 wrote to memory of 5500	2760	bedgegejed.exe	102
PID 2760 wrote to memory of 5500	2760	bedgegejed.exe	102

C:\Users\Admin\AppData\Local\Temp\fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa96eb1f455f31f04e4353d87ed67deb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\bedgegejed.exe
  C:\Users\Admin\AppData\Local\Temp\bedgegejed.exe 1]3]9]5]3]9]5]0]5]9]9 Lk1APzopLTQyJxcuUEw9TUA/PSsXJk1CS1JMSUZJPzQoHyw7RFBLREQ4KS84MS8bLDpERDgnFy5NSUpBTD5UWkA7PC8rLzAqGy9OPElVQklaUklHPWNra283JipwaXEuPzxKSipLSk0kPFBLJUBNQ0YbLDpHST5CQEM6FypBKDgtLBcmQy80KC4XKkQuNCQwHSY/MTQoMRsmOzQ6JCwdJktSSjtMQlFWS09AUUE+UDQfLEdNTDtQQ09WPFRJODgdJktSSjtMQlFWST5EQD0yUWBvHSZAVTxaVU1DNGdxa2s3JiphX2JbbnRlZ2xYX3MpaiotXmRcd2ZpYXJqJWJsZCo0cWRwKVxvZB0mQFU8WkNIO0NISzw4HSZDT05LVkFPRlJQPE09KxcmU0U4SUhQSlVaTElLOhcqU0Q4MhsmO1IuNBssSVBOT0BERFxOQEk6Sk1AQERARDxQT0M4ICpASl5PTElRQEhFOGtpdGIXKk88T1VNRUBNRFZQUDxNXz84UFI6KRssP0REQE80MB0mRFBWP1lJOERIQFZASzpNWUtLPEM6XVxpamAgKjtGVktDSj47WklLNC04KygtKy0yLiwpLx8sRzxPOEdMQENWSEtKTz5DRz1hWGNyYhcqUUBIRTgoKzIzKzIwMDI3GyY7TlRFR0w4P19PQEREOi4qNiYtMCwsITc3Ki03LDIqS0Q=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81713540162.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81713540162.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81713540162.txt bios get version
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81713540162.txt bios get version
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81713540162.txt bios get version
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 952
    3⤵
    - Program crash
    PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2760 -ip 2760
1⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81713540162.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81713540162.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81713540162.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedgegejed.exe

Filesize
975KB

MD5
920747e7f3f3a99ae31cdaeaa8b4ec06

SHA1
10d7e2b5a4ded23dabaa854bca4a13c11cd70798

SHA256
f55e6a320a3945d949131d7491268ab3b3365e0a05f272ebc479a3ef58934d8d

SHA512
612dca38f54379460a14591421e6f058bb2a5a0f3619d48bab2837c257dccfe3865e6c379c710424c429b84dd84d9eb02a4d8d37d52f68f8bb3528635917c59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E2.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E2.tmp\guxvvlj.dll

Filesize
153KB

MD5
b9f10ee282b950087315493642302880

SHA1
035b2a99ae258ed7f69cf8de20e01c60a471a23e

SHA256
43c7531670ec72563ffa3bb36a7058988ccc8f07feb766bd6b120748203062dd

SHA512
c8d4d0f81be6f74100f16fee0979aeb09f9b7a84720466b903cf67b6db3ee4bba76161908a2386976572c646cdbc8fcf73d376b9d43391382377d3e82d5127e2

Download Submit