222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e

General

Target

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
Size

649KB
MD5

03c1d32aee1a7a076dcfa38b19c7eea7
SHA1

fb0cfd443bf7484d26b52e0568cb5a93a38b13da
SHA256

222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e
SHA512

035282d49bdeb4704ecd2e36bdeea779495b839e897459ab9ba6bfdb45ab5095acb7a897b21e4d61a4cce0065103f6401c1f4091c593b7f25eaeb84cf0979182
SSDEEP

12288:lzOkGqzUVzOYtQr3O+u3aX+KPhsrwfrEBvhjH6Ic0QZpp1RQfUJRrsfc8vy4hTX:lzOPq4x7Qr3O+u3u5srwjEdhja3xDpUH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bedhcjffih.exe

pid process

2944 bedhcjffih.exe

pid	process
2944	bedhcjffih.exe

Loads dropped DLL 11 IoCs

Processes:

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exeWerFault.exe

pid	process
1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe
556	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

556 2944 WerFault.exe bedhcjffih.exe

pid	pid_target	process	target process
556	2944	WerFault.exe	bedhcjffih.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2668	wmic.exe
Token: SeSecurityPrivilege	2668	wmic.exe
Token: SeTakeOwnershipPrivilege	2668	wmic.exe
Token: SeLoadDriverPrivilege	2668	wmic.exe
Token: SeSystemProfilePrivilege	2668	wmic.exe
Token: SeSystemtimePrivilege	2668	wmic.exe
Token: SeProfSingleProcessPrivilege	2668	wmic.exe
Token: SeIncBasePriorityPrivilege	2668	wmic.exe
Token: SeCreatePagefilePrivilege	2668	wmic.exe
Token: SeBackupPrivilege	2668	wmic.exe
Token: SeRestorePrivilege	2668	wmic.exe
Token: SeShutdownPrivilege	2668	wmic.exe
Token: SeDebugPrivilege	2668	wmic.exe
Token: SeSystemEnvironmentPrivilege	2668	wmic.exe
Token: SeRemoteShutdownPrivilege	2668	wmic.exe
Token: SeUndockPrivilege	2668	wmic.exe
Token: SeManageVolumePrivilege	2668	wmic.exe
Token: 33	2668	wmic.exe
Token: 34	2668	wmic.exe
Token: 35	2668	wmic.exe
Token: SeIncreaseQuotaPrivilege	2668	wmic.exe
Token: SeSecurityPrivilege	2668	wmic.exe
Token: SeTakeOwnershipPrivilege	2668	wmic.exe
Token: SeLoadDriverPrivilege	2668	wmic.exe
Token: SeSystemProfilePrivilege	2668	wmic.exe
Token: SeSystemtimePrivilege	2668	wmic.exe
Token: SeProfSingleProcessPrivilege	2668	wmic.exe
Token: SeIncBasePriorityPrivilege	2668	wmic.exe
Token: SeCreatePagefilePrivilege	2668	wmic.exe
Token: SeBackupPrivilege	2668	wmic.exe
Token: SeRestorePrivilege	2668	wmic.exe
Token: SeShutdownPrivilege	2668	wmic.exe
Token: SeDebugPrivilege	2668	wmic.exe
Token: SeSystemEnvironmentPrivilege	2668	wmic.exe
Token: SeRemoteShutdownPrivilege	2668	wmic.exe
Token: SeUndockPrivilege	2668	wmic.exe
Token: SeManageVolumePrivilege	2668	wmic.exe
Token: 33	2668	wmic.exe
Token: 34	2668	wmic.exe
Token: 35	2668	wmic.exe
Token: SeIncreaseQuotaPrivilege	2120	wmic.exe
Token: SeSecurityPrivilege	2120	wmic.exe
Token: SeTakeOwnershipPrivilege	2120	wmic.exe
Token: SeLoadDriverPrivilege	2120	wmic.exe
Token: SeSystemProfilePrivilege	2120	wmic.exe
Token: SeSystemtimePrivilege	2120	wmic.exe
Token: SeProfSingleProcessPrivilege	2120	wmic.exe
Token: SeIncBasePriorityPrivilege	2120	wmic.exe
Token: SeCreatePagefilePrivilege	2120	wmic.exe
Token: SeBackupPrivilege	2120	wmic.exe
Token: SeRestorePrivilege	2120	wmic.exe
Token: SeShutdownPrivilege	2120	wmic.exe
Token: SeDebugPrivilege	2120	wmic.exe
Token: SeSystemEnvironmentPrivilege	2120	wmic.exe
Token: SeRemoteShutdownPrivilege	2120	wmic.exe
Token: SeUndockPrivilege	2120	wmic.exe
Token: SeManageVolumePrivilege	2120	wmic.exe
Token: 33	2120	wmic.exe
Token: 34	2120	wmic.exe
Token: 35	2120	wmic.exe
Token: SeIncreaseQuotaPrivilege	2872	wmic.exe
Token: SeSecurityPrivilege	2872	wmic.exe
Token: SeTakeOwnershipPrivilege	2872	wmic.exe
Token: SeLoadDriverPrivilege	2872	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exebedhcjffih.exe

description	pid	process	target process
PID 1368 wrote to memory of 2944	1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 1368 wrote to memory of 2944	1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 1368 wrote to memory of 2944	1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 1368 wrote to memory of 2944	1368	03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe	bedhcjffih.exe
PID 2944 wrote to memory of 2668	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2668	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2668	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2668	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2120	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2120	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2120	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2120	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2872	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2872	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2872	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2872	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2400	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2400	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2400	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2400	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2364	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2364	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2364	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 2364	2944	bedhcjffih.exe	wmic.exe
PID 2944 wrote to memory of 556	2944	bedhcjffih.exe	WerFault.exe
PID 2944 wrote to memory of 556	2944	bedhcjffih.exe	WerFault.exe
PID 2944 wrote to memory of 556	2944	bedhcjffih.exe	WerFault.exe
PID 2944 wrote to memory of 556	2944	bedhcjffih.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe 9\5\0\2\5\3\0\4\1\9\5 JktJQjguOTQzKRsmTlVAS0ZEOS8XKkVAVFVKT0tFQzQsFypER05RSUA8KTEoMTEeKkBJQDwnGyZLUk0/UkNQXkA/NC01MS80ICtSPE1NQFJdUE9MOWdrb2c1Ly1ub3YqQzxOQihUTUsqQUxPJURFQU8eKkBMRUJCRDs4IC0/Lj0pMBcqOy09KywdL0AyNCgoGy9CLzotLR8mPyw4LS8bLFBOTjtQOk9fTk1GVj1CUDgXKlBQSkFVP1NWQExHQTsbLFBOTjtQOk9fTDxKRTlMXGhrYHNyMzMlLi8sKSgpMCMtLVBubhwtJ0BkZ29mb2okKSs9UExKIC8wITEnICkrUG1tcWFea1wgKSslMCsiMixUSj0cLTAjLS0lLi9ATkYbL0NTQl9RUUM4X290bjUsL15kam8ra2MsXmxtK3Jcb2xrLmNzYiArRE9AVj5NQkdGTkE8Fyo/SlNSWj9SS1ZKQEk4MB4qUUg9TUJURlBfU01JPRwuTUg0LSAtP1AxOR8mTUxJVEdIQl9TREM+RkhFR0g+R0FUSUc0Gy9HTlxSUU1LRERAPXJtcmUcLklAS1BSTERLR1tUSkBJWkQ/VFA9Lh8mQ0A/RVY4LiArSEpaO1ROP0hGQ1tERT5JVFBSQEE9YmBjblwbL0JKVE5ITjg/VkRQOzArMzUtMC4lLTAvGyxQPVE4R0NATF1ES1NQQENHNG9yc2AdL1BIREA0LDQxMjAwMC8tMBcqRE1SS0xLQDtaS0RNQzg0Ly04Ji0nLDUoLC46LDYxLywlQUs=
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
3⤵
PID:2400

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version
3⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 372
3⤵
- Loads dropped DLL
- Program crash
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714256560.txt
Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe
Filesize
789KB

MD5
7e953bc67b381f49bae46d5b913516df

SHA1
a4fa6eb293a81d68c1be585f77fe4d84afc6ef85

SHA256
12fab995d62a7bc9a9c40f0320ec2bfc31e5aa33ea2d8f94ec9426f56bd25e75

SHA512
514023f0610faa887216f216ce2cfd03e797fd7c05021979632a301232395c6932c506ec17c52898b686b54cdfcbc4c5d363e30a0c812a109e448872f3ea8ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8566.tmp\cwbittx.dll
Filesize
170KB

MD5
a82227bd0cfb88b062e2b08a702d3668

SHA1
f760b4d30eeb6d317cb15503677a098a6f5311e8

SHA256
03713ee5afc47988c3ed690c7eca3e6c74123e23d6526bc5cf5c10292151a35d

SHA512
283ca80a5a64520a7f46b37c65d8c8a81d1f4390dfabf2dc3b0693a176ce501f5de40e169b24d2a48fd1643280141a5b7f43a7a7b0a9391b68bb6dcad65c879c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8566.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads