3e98199bb26b1dc17d21f7546c6e7815f1fd9d9ba78a2c962cb0487a096eae7d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe
Size

344KB
MD5

00f7d97bb8b3efe90f25ed5055dc1d7c
SHA1

2ef726b562cf179f4141e7fa28360f9f785ee7e0
SHA256

3e98199bb26b1dc17d21f7546c6e7815f1fd9d9ba78a2c962cb0487a096eae7d
SHA512

13497a6afaad29e0a2fac9aff2943f1fbbec1663d6853fe07a6a2d4021eb5d6952001f3148b628034d71c7284c0484a0d28d7ca37e1414410a2f55ebe61d7d31
SSDEEP

6144:HFJ0FYtCGAHsNjSfRcnoO3hooHtKkKLOUhbVMKBuhzFti:aYt0H8jSJxIhoIlGVMKBAc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	beeheebchc.exe

Loads dropped DLL 5 IoCs

pid	Process
1724	00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2228	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe
Token: SeSecurityPrivilege	2732	wmic.exe
Token: SeTakeOwnershipPrivilege	2732	wmic.exe
Token: SeLoadDriverPrivilege	2732	wmic.exe
Token: SeSystemProfilePrivilege	2732	wmic.exe
Token: SeSystemtimePrivilege	2732	wmic.exe
Token: SeProfSingleProcessPrivilege	2732	wmic.exe
Token: SeIncBasePriorityPrivilege	2732	wmic.exe
Token: SeCreatePagefilePrivilege	2732	wmic.exe
Token: SeBackupPrivilege	2732	wmic.exe
Token: SeRestorePrivilege	2732	wmic.exe
Token: SeShutdownPrivilege	2732	wmic.exe
Token: SeDebugPrivilege	2732	wmic.exe
Token: SeSystemEnvironmentPrivilege	2732	wmic.exe
Token: SeRemoteShutdownPrivilege	2732	wmic.exe
Token: SeUndockPrivilege	2732	wmic.exe
Token: SeManageVolumePrivilege	2732	wmic.exe
Token: 33	2732	wmic.exe
Token: 34	2732	wmic.exe
Token: 35	2732	wmic.exe
Token: SeIncreaseQuotaPrivilege	2936	wmic.exe
Token: SeSecurityPrivilege	2936	wmic.exe
Token: SeTakeOwnershipPrivilege	2936	wmic.exe
Token: SeLoadDriverPrivilege	2936	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2228	1724	00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2228	1724	00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2228	1724	00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2228	1724	00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe	28
PID 2228 wrote to memory of 2012	2228	beeheebchc.exe	29
PID 2228 wrote to memory of 2012	2228	beeheebchc.exe	29
PID 2228 wrote to memory of 2012	2228	beeheebchc.exe	29
PID 2228 wrote to memory of 2012	2228	beeheebchc.exe	29
PID 2228 wrote to memory of 2732	2228	beeheebchc.exe	32
PID 2228 wrote to memory of 2732	2228	beeheebchc.exe	32
PID 2228 wrote to memory of 2732	2228	beeheebchc.exe	32
PID 2228 wrote to memory of 2732	2228	beeheebchc.exe	32
PID 2228 wrote to memory of 2936	2228	beeheebchc.exe	34
PID 2228 wrote to memory of 2936	2228	beeheebchc.exe	34
PID 2228 wrote to memory of 2936	2228	beeheebchc.exe	34
PID 2228 wrote to memory of 2936	2228	beeheebchc.exe	34
PID 2228 wrote to memory of 2752	2228	beeheebchc.exe	36
PID 2228 wrote to memory of 2752	2228	beeheebchc.exe	36
PID 2228 wrote to memory of 2752	2228	beeheebchc.exe	36
PID 2228 wrote to memory of 2752	2228	beeheebchc.exe	36
PID 2228 wrote to memory of 2716	2228	beeheebchc.exe	38
PID 2228 wrote to memory of 2716	2228	beeheebchc.exe	38
PID 2228 wrote to memory of 2716	2228	beeheebchc.exe	38
PID 2228 wrote to memory of 2716	2228	beeheebchc.exe	38
PID 2228 wrote to memory of 2504	2228	beeheebchc.exe	40
PID 2228 wrote to memory of 2504	2228	beeheebchc.exe	40
PID 2228 wrote to memory of 2504	2228	beeheebchc.exe	40
PID 2228 wrote to memory of 2504	2228	beeheebchc.exe	40

C:\Users\Admin\AppData\Local\Temp\00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00f7d97bb8b3efe90f25ed5055dc1d7c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\beeheebchc.exe
  C:\Users\Admin\AppData\Local\Temp\beeheebchc.exe 8!0!7!1!3!5!2!6!4!9!0 J1BCQzosMjIvKiAnU05BTURCNywXL0ZFTVZMTUlDQDQxGC89SFBPRz45KTcvMDEfLD5HPjknICdQS05BUEFOW0BENTIvODA0HilPPFJORUteUk1KN2RrdGg6KC5wbXQoQDxTQy1NTk0oP0pMJUlGRkgfLD5KQz9CSTw9GS5BLDsnLRcvPDI2LC4bLT4vNC0pIChDMTgrKxwmRC09JjAdKk5MSztVO1RYT09EVDs/UD0YL0lRTD9TPVBWRU1MOjwdKk5MSztVO1RYTT5IQzdMSU88VTxTXEk/R0EXLz1YPl5STUo3HCZFUEVYQko/SkNKPD0YL0FOUE9dPE5GV0tFSzwyGy1ORDhOQ1lIVFxQUEY5Fy9OTTYxHSpCTS00ICdSTk1RREs/W05FRENITEJESztDPFVKTDYfLERRWU5MTkxJRkQ6b3BvYRcvSkVNVE9JR0hDVlVLRUteQTxXTTkpICdIQkNCUzsrHCZJS189WEs8S0M/VkVGQ0tYTU9DPjldYWRzXh8sP01RSkNPOURYSE04MCo0JTEpMCc4MCkvLC4XL0hBS0BJR0NGW0BOS1Q6S0k4cmxxXCAnVEJMQjgvLjAuNCw1MS8wGy0+S05ORE86Q1xPR0dBNDEpLyoyLC0uKzEhODIxLzkxLihKSQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714141534.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714141534.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714141534.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714141534.txt bios get version
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714141534.txt bios get version
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714141534.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeheebchc.exe

Filesize
563KB

MD5
5618deb16dcfd81c10ee60af4ddb72ee

SHA1
feef617f04364b7f2723611d959f6b7d80b36fd9

SHA256
a471054ed41d3794b3f2222ab849f3f192a63e26560068c736051454a895b9c4

SHA512
75d656aedd88061ae05f3f507184fd7ae8f87dd794704b27d4b1a10871fdda35a3bacd56c20b63f9d375ddfa1d19a0587fd4028d224aa0ea26eea36019f8aae2

Download Submit