75ff6072436c6bf42b8bac92bdb5127f2000032d856b0a67266048cc090ef11a

General

Target

03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
Size

644KB
MD5

03bcef28d79f03e9bcfb05a3722699a0
SHA1

787640ec274802006f801b5a7cfa315120cf1e3e
SHA256

75ff6072436c6bf42b8bac92bdb5127f2000032d856b0a67266048cc090ef11a
SHA512

428d0a2307360b107f93c7bb2bdca2c66634e6a76c6d0d2692b3ff3d1c5a3e3d2cebf5f0d4af71bb4e08e246e89d23e29c0a30c4cb77e22473441f13daf4198b
SSDEEP

12288:dVU13hQOaDz9vRuZbbiprlBD6scxCG0b+TwamjBtxYjfc8vy4hx:dVUL4z9vUZAlcJOb+kamjBtmQ86S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bedfggacfb.exe

pid process

2672 bedfggacfb.exe

pid	process
2672	bedfggacfb.exe

Loads dropped DLL 11 IoCs

Processes:

03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exeWerFault.exe

pid	process
2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2476 2672 WerFault.exe bedfggacfb.exe

pid	pid_target	process	target process
2476	2672	WerFault.exe	bedfggacfb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2540	wmic.exe
Token: SeSecurityPrivilege	2540	wmic.exe
Token: SeTakeOwnershipPrivilege	2540	wmic.exe
Token: SeLoadDriverPrivilege	2540	wmic.exe
Token: SeSystemProfilePrivilege	2540	wmic.exe
Token: SeSystemtimePrivilege	2540	wmic.exe
Token: SeProfSingleProcessPrivilege	2540	wmic.exe
Token: SeIncBasePriorityPrivilege	2540	wmic.exe
Token: SeCreatePagefilePrivilege	2540	wmic.exe
Token: SeBackupPrivilege	2540	wmic.exe
Token: SeRestorePrivilege	2540	wmic.exe
Token: SeShutdownPrivilege	2540	wmic.exe
Token: SeDebugPrivilege	2540	wmic.exe
Token: SeSystemEnvironmentPrivilege	2540	wmic.exe
Token: SeRemoteShutdownPrivilege	2540	wmic.exe
Token: SeUndockPrivilege	2540	wmic.exe
Token: SeManageVolumePrivilege	2540	wmic.exe
Token: 33	2540	wmic.exe
Token: 34	2540	wmic.exe
Token: 35	2540	wmic.exe
Token: SeIncreaseQuotaPrivilege	2540	wmic.exe
Token: SeSecurityPrivilege	2540	wmic.exe
Token: SeTakeOwnershipPrivilege	2540	wmic.exe
Token: SeLoadDriverPrivilege	2540	wmic.exe
Token: SeSystemProfilePrivilege	2540	wmic.exe
Token: SeSystemtimePrivilege	2540	wmic.exe
Token: SeProfSingleProcessPrivilege	2540	wmic.exe
Token: SeIncBasePriorityPrivilege	2540	wmic.exe
Token: SeCreatePagefilePrivilege	2540	wmic.exe
Token: SeBackupPrivilege	2540	wmic.exe
Token: SeRestorePrivilege	2540	wmic.exe
Token: SeShutdownPrivilege	2540	wmic.exe
Token: SeDebugPrivilege	2540	wmic.exe
Token: SeSystemEnvironmentPrivilege	2540	wmic.exe
Token: SeRemoteShutdownPrivilege	2540	wmic.exe
Token: SeUndockPrivilege	2540	wmic.exe
Token: SeManageVolumePrivilege	2540	wmic.exe
Token: 33	2540	wmic.exe
Token: 34	2540	wmic.exe
Token: 35	2540	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exebedfggacfb.exe

description	pid	process	target process
PID 2180 wrote to memory of 2672	2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe	bedfggacfb.exe
PID 2180 wrote to memory of 2672	2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe	bedfggacfb.exe
PID 2180 wrote to memory of 2672	2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe	bedfggacfb.exe
PID 2180 wrote to memory of 2672	2180	03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe	bedfggacfb.exe
PID 2672 wrote to memory of 2540	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2540	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2540	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2540	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2524	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2524	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2524	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2524	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2380	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2380	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2380	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2380	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2284	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2284	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2284	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2284	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2960	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2960	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2960	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2960	2672	bedfggacfb.exe	wmic.exe
PID 2672 wrote to memory of 2476	2672	bedfggacfb.exe	WerFault.exe
PID 2672 wrote to memory of 2476	2672	bedfggacfb.exe	WerFault.exe
PID 2672 wrote to memory of 2476	2672	bedfggacfb.exe	WerFault.exe
PID 2672 wrote to memory of 2476	2672	bedfggacfb.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03bcef28d79f03e9bcfb05a3722699a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\bedfggacfb.exe
C:\Users\Admin\AppData\Local\Temp\bedfggacfb.exe 8^4^3^0^3^7^0^5^7^1^1 J0xGRDotMi8vHy5LUT9QRj09KxkuTT1QVE9PREk/NjAfJ0BGU1FCRDguMjgvHCxDRj09KxkuT0pLQVVATV9EPTw0KC8xICxMRU1PRFFXUU9MOmF0b2k5Lidvb3YrPUVORCxTR0wqQU1JLkRHRU4YK0BMRjxLRD08HydALj0qKiAqPTE8JS0dL0EsPSgqHy48MDotLhkvPy48LCkcLFBPSERQPFNeSE5GVj48WTgZLk9KS0FVQE1fQE5LQDUcLFBPSERQPFNeRj1KRToZL0BRRF5NTkk9HShFUz5eQkVASUlLPj0bKEdOS1BcQk9IV04+UTwoHCxURTpORlJOVFdRT0w6GS9RRjwxGCtBUy42ICpLVE1MRUpFXFBFRzxOTD1FSkFEPlVNRTwfJ0VQX09OTk9CTEQ1cG91YhkvTT5TVEpKRk5EWFVOPlFePD1WUzorICpBSEM9VDoxHShJTlhDWEY9SklAWEVJPFFYSFBCRDpfYWdsZB8nQExXS0VPPD1eSEg5LjA0JzEyMS0wMTArOC8ZL09CTEQ1LTEzMi83LC44LxgrQU9UR0xKOkNeTEVKRTovLy4pLjEoLTIqLjMzNDM0LyJMSg==
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714255837.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714255837.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714255837.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714255837.txt bios get version
3⤵
PID:2284

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714255837.txt bios get version
3⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 368
3⤵
- Loads dropped DLL
- Program crash
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714255837.txt
Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfggacfb.exe
Filesize
765KB

MD5
b8e816f5de4c9e85c2fe65ba8f3adafe

SHA1
e7876f1b9504a16a27fb1acd266d30e1a0346982

SHA256
9022a7905e16a0e102b391a308353cf82654c019c0c6ccdc96b2cc8db650eeaa

SHA512
2a1a57b124304ea3b6aeb1ae9ee70cabee7e844c19804d9dc8d46dddd6bc89d2fdb1e413fc7b971d4cf100ff53e0bbf67a8490266a935c4e86eea7e7083aacae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2AAA.tmp\ihctsns.dll
Filesize
166KB

MD5
9915ed630811790c76c5f9498b982f6a

SHA1
3eee156a20836066056d4dfdd8e320ce524e53e1

SHA256
7203d9a21f1d5abab705f3d42f2b64c887b5355fd9e3b28e3e6dd16d67ade8b1

SHA512
a9581cf3ba9800c6508d77603bdd27cbb6b0021c8423df078912fb6107f4f9914b53e666e97616039be8bda21789fc02c944390fe7700894d5348cc770d3016d

Download Submit
\Users\Admin\AppData\Local\Temp\nst2AAA.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads