Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 22:22

General

  • Target

    03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe

  • Size

    649KB

  • MD5

    03c1d32aee1a7a076dcfa38b19c7eea7

  • SHA1

    fb0cfd443bf7484d26b52e0568cb5a93a38b13da

  • SHA256

    222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e

  • SHA512

    035282d49bdeb4704ecd2e36bdeea779495b839e897459ab9ba6bfdb45ab5095acb7a897b21e4d61a4cce0065103f6401c1f4091c593b7f25eaeb84cf0979182

  • SSDEEP

    12288:lzOkGqzUVzOYtQr3O+u3aX+KPhsrwfrEBvhjH6Ic0QZpp1RQfUJRrsfc8vy4hTX:lzOPq4x7Qr3O+u3u5srwjEdhja3xDpUH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
      C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe 9\5\0\2\5\3\0\4\1\9\5 JktJQjguOTQzKRsmTlVAS0ZEOS8XKkVAVFVKT0tFQzQsFypER05RSUA8KTEoMTEeKkBJQDwnGyZLUk0/UkNQXkA/NC01MS80ICtSPE1NQFJdUE9MOWdrb2c1Ly1ub3YqQzxOQihUTUsqQUxPJURFQU8eKkBMRUJCRDs4IC0/Lj0pMBcqOy09KywdL0AyNCgoGy9CLzotLR8mPyw4LS8bLFBOTjtQOk9fTk1GVj1CUDgXKlBQSkFVP1NWQExHQTsbLFBOTjtQOk9fTDxKRTlMXGhrYHNyMzMlLi8sKSgpMCMtLVBubhwtJ0BkZ29mb2okKSs9UExKIC8wITEnICkrUG1tcWFea1wgKSslMCsiMixUSj0cLTAjLS0lLi9ATkYbL0NTQl9RUUM4X290bjUsL15kam8ra2MsXmxtK3Jcb2xrLmNzYiArRE9AVj5NQkdGTkE8Fyo/SlNSWj9SS1ZKQEk4MB4qUUg9TUJURlBfU01JPRwuTUg0LSAtP1AxOR8mTUxJVEdIQl9TREM+RkhFR0g+R0FUSUc0Gy9HTlxSUU1LRERAPXJtcmUcLklAS1BSTERLR1tUSkBJWkQ/VFA9Lh8mQ0A/RVY4LiArSEpaO1ROP0hGQ1tERT5JVFBSQEE9YmBjblwbL0JKVE5ITjg/VkRQOzArMzUtMC4lLTAvGyxQPVE4R0NATF1ES1NQQENHNG9yc2AdL1BIREA0LDQxMjAwMC8tMBcqRE1SS0xLQDtaS0RNQzg0Ly04Ji0nLDUoLC46LDYxLywlQUs=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
        3⤵
          PID:2400
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
          3⤵
            PID:2364
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:556

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81714256560.txt
        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
        Filesize

        789KB

        MD5

        7e953bc67b381f49bae46d5b913516df

        SHA1

        a4fa6eb293a81d68c1be585f77fe4d84afc6ef85

        SHA256

        12fab995d62a7bc9a9c40f0320ec2bfc31e5aa33ea2d8f94ec9426f56bd25e75

        SHA512

        514023f0610faa887216f216ce2cfd03e797fd7c05021979632a301232395c6932c506ec17c52898b686b54cdfcbc4c5d363e30a0c812a109e448872f3ea8ee0

      • C:\Users\Admin\AppData\Local\Temp\nsd8566.tmp\cwbittx.dll
        Filesize

        170KB

        MD5

        a82227bd0cfb88b062e2b08a702d3668

        SHA1

        f760b4d30eeb6d317cb15503677a098a6f5311e8

        SHA256

        03713ee5afc47988c3ed690c7eca3e6c74123e23d6526bc5cf5c10292151a35d

        SHA512

        283ca80a5a64520a7f46b37c65d8c8a81d1f4390dfabf2dc3b0693a176ce501f5de40e169b24d2a48fd1643280141a5b7f43a7a7b0a9391b68bb6dcad65c879c

      • \Users\Admin\AppData\Local\Temp\nsd8566.tmp\ZipDLL.dll
        Filesize

        163KB

        MD5

        2dc35ddcabcb2b24919b9afae4ec3091

        SHA1

        9eeed33c3abc656353a7ebd1c66af38cccadd939

        SHA256

        6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

        SHA512

        0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901