Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:22
Static task
static1
Behavioral task
behavioral1
Sample
03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/cwbittx.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/cwbittx.dll
Resource
win10v2004-20240419-en
General
-
Target
03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe
-
Size
649KB
-
MD5
03c1d32aee1a7a076dcfa38b19c7eea7
-
SHA1
fb0cfd443bf7484d26b52e0568cb5a93a38b13da
-
SHA256
222b38987e7854a54088fa4a8609348be3a637ed35d0d10f16e0c8991a3fe31e
-
SHA512
035282d49bdeb4704ecd2e36bdeea779495b839e897459ab9ba6bfdb45ab5095acb7a897b21e4d61a4cce0065103f6401c1f4091c593b7f25eaeb84cf0979182
-
SSDEEP
12288:lzOkGqzUVzOYtQr3O+u3aX+KPhsrwfrEBvhjH6Ic0QZpp1RQfUJRrsfc8vy4hTX:lzOPq4x7Qr3O+u3u5srwjEdhja3xDpUH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bedhcjffih.exepid process 2944 bedhcjffih.exe -
Loads dropped DLL 11 IoCs
Processes:
03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exeWerFault.exepid process 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe 556 WerFault.exe 556 WerFault.exe 556 WerFault.exe 556 WerFault.exe 556 WerFault.exe 556 WerFault.exe 556 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 556 2944 WerFault.exe bedhcjffih.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2668 wmic.exe Token: SeSecurityPrivilege 2668 wmic.exe Token: SeTakeOwnershipPrivilege 2668 wmic.exe Token: SeLoadDriverPrivilege 2668 wmic.exe Token: SeSystemProfilePrivilege 2668 wmic.exe Token: SeSystemtimePrivilege 2668 wmic.exe Token: SeProfSingleProcessPrivilege 2668 wmic.exe Token: SeIncBasePriorityPrivilege 2668 wmic.exe Token: SeCreatePagefilePrivilege 2668 wmic.exe Token: SeBackupPrivilege 2668 wmic.exe Token: SeRestorePrivilege 2668 wmic.exe Token: SeShutdownPrivilege 2668 wmic.exe Token: SeDebugPrivilege 2668 wmic.exe Token: SeSystemEnvironmentPrivilege 2668 wmic.exe Token: SeRemoteShutdownPrivilege 2668 wmic.exe Token: SeUndockPrivilege 2668 wmic.exe Token: SeManageVolumePrivilege 2668 wmic.exe Token: 33 2668 wmic.exe Token: 34 2668 wmic.exe Token: 35 2668 wmic.exe Token: SeIncreaseQuotaPrivilege 2668 wmic.exe Token: SeSecurityPrivilege 2668 wmic.exe Token: SeTakeOwnershipPrivilege 2668 wmic.exe Token: SeLoadDriverPrivilege 2668 wmic.exe Token: SeSystemProfilePrivilege 2668 wmic.exe Token: SeSystemtimePrivilege 2668 wmic.exe Token: SeProfSingleProcessPrivilege 2668 wmic.exe Token: SeIncBasePriorityPrivilege 2668 wmic.exe Token: SeCreatePagefilePrivilege 2668 wmic.exe Token: SeBackupPrivilege 2668 wmic.exe Token: SeRestorePrivilege 2668 wmic.exe Token: SeShutdownPrivilege 2668 wmic.exe Token: SeDebugPrivilege 2668 wmic.exe Token: SeSystemEnvironmentPrivilege 2668 wmic.exe Token: SeRemoteShutdownPrivilege 2668 wmic.exe Token: SeUndockPrivilege 2668 wmic.exe Token: SeManageVolumePrivilege 2668 wmic.exe Token: 33 2668 wmic.exe Token: 34 2668 wmic.exe Token: 35 2668 wmic.exe Token: SeIncreaseQuotaPrivilege 2120 wmic.exe Token: SeSecurityPrivilege 2120 wmic.exe Token: SeTakeOwnershipPrivilege 2120 wmic.exe Token: SeLoadDriverPrivilege 2120 wmic.exe Token: SeSystemProfilePrivilege 2120 wmic.exe Token: SeSystemtimePrivilege 2120 wmic.exe Token: SeProfSingleProcessPrivilege 2120 wmic.exe Token: SeIncBasePriorityPrivilege 2120 wmic.exe Token: SeCreatePagefilePrivilege 2120 wmic.exe Token: SeBackupPrivilege 2120 wmic.exe Token: SeRestorePrivilege 2120 wmic.exe Token: SeShutdownPrivilege 2120 wmic.exe Token: SeDebugPrivilege 2120 wmic.exe Token: SeSystemEnvironmentPrivilege 2120 wmic.exe Token: SeRemoteShutdownPrivilege 2120 wmic.exe Token: SeUndockPrivilege 2120 wmic.exe Token: SeManageVolumePrivilege 2120 wmic.exe Token: 33 2120 wmic.exe Token: 34 2120 wmic.exe Token: 35 2120 wmic.exe Token: SeIncreaseQuotaPrivilege 2872 wmic.exe Token: SeSecurityPrivilege 2872 wmic.exe Token: SeTakeOwnershipPrivilege 2872 wmic.exe Token: SeLoadDriverPrivilege 2872 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exebedhcjffih.exedescription pid process target process PID 1368 wrote to memory of 2944 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe bedhcjffih.exe PID 1368 wrote to memory of 2944 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe bedhcjffih.exe PID 1368 wrote to memory of 2944 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe bedhcjffih.exe PID 1368 wrote to memory of 2944 1368 03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe bedhcjffih.exe PID 2944 wrote to memory of 2668 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2668 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2668 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2668 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2120 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2120 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2120 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2120 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2872 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2872 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2872 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2872 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2400 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2400 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2400 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2400 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2364 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2364 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2364 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 2364 2944 bedhcjffih.exe wmic.exe PID 2944 wrote to memory of 556 2944 bedhcjffih.exe WerFault.exe PID 2944 wrote to memory of 556 2944 bedhcjffih.exe WerFault.exe PID 2944 wrote to memory of 556 2944 bedhcjffih.exe WerFault.exe PID 2944 wrote to memory of 556 2944 bedhcjffih.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c1d32aee1a7a076dcfa38b19c7eea7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exeC:\Users\Admin\AppData\Local\Temp\bedhcjffih.exe 9\5\0\2\5\3\0\4\1\9\5 JktJQjguOTQzKRsmTlVAS0ZEOS8XKkVAVFVKT0tFQzQsFypER05RSUA8KTEoMTEeKkBJQDwnGyZLUk0/UkNQXkA/NC01MS80ICtSPE1NQFJdUE9MOWdrb2c1Ly1ub3YqQzxOQihUTUsqQUxPJURFQU8eKkBMRUJCRDs4IC0/Lj0pMBcqOy09KywdL0AyNCgoGy9CLzotLR8mPyw4LS8bLFBOTjtQOk9fTk1GVj1CUDgXKlBQSkFVP1NWQExHQTsbLFBOTjtQOk9fTDxKRTlMXGhrYHNyMzMlLi8sKSgpMCMtLVBubhwtJ0BkZ29mb2okKSs9UExKIC8wITEnICkrUG1tcWFea1wgKSslMCsiMixUSj0cLTAjLS0lLi9ATkYbL0NTQl9RUUM4X290bjUsL15kam8ra2MsXmxtK3Jcb2xrLmNzYiArRE9AVj5NQkdGTkE8Fyo/SlNSWj9SS1ZKQEk4MB4qUUg9TUJURlBfU01JPRwuTUg0LSAtP1AxOR8mTUxJVEdIQl9TREM+RkhFR0g+R0FUSUc0Gy9HTlxSUU1LRERAPXJtcmUcLklAS1BSTERLR1tUSkBJWkQ/VFA9Lh8mQ0A/RVY4LiArSEpaO1ROP0hGQ1tERT5JVFBSQEE9YmBjblwbL0JKVE5ITjg/VkRQOzArMzUtMC4lLTAvGyxQPVE4R0NATF1ES1NQQENHNG9yc2AdL1BIREA0LDQxMjAwMC8tMBcqRE1SS0xLQDtaS0RNQzg0Ly04Ji0nLDUoLC46LDYxLywlQUs=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714256560.txt bios get version3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 3723⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81714256560.txtFilesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
C:\Users\Admin\AppData\Local\Temp\bedhcjffih.exeFilesize
789KB
MD57e953bc67b381f49bae46d5b913516df
SHA1a4fa6eb293a81d68c1be585f77fe4d84afc6ef85
SHA25612fab995d62a7bc9a9c40f0320ec2bfc31e5aa33ea2d8f94ec9426f56bd25e75
SHA512514023f0610faa887216f216ce2cfd03e797fd7c05021979632a301232395c6932c506ec17c52898b686b54cdfcbc4c5d363e30a0c812a109e448872f3ea8ee0
-
C:\Users\Admin\AppData\Local\Temp\nsd8566.tmp\cwbittx.dllFilesize
170KB
MD5a82227bd0cfb88b062e2b08a702d3668
SHA1f760b4d30eeb6d317cb15503677a098a6f5311e8
SHA25603713ee5afc47988c3ed690c7eca3e6c74123e23d6526bc5cf5c10292151a35d
SHA512283ca80a5a64520a7f46b37c65d8c8a81d1f4390dfabf2dc3b0693a176ce501f5de40e169b24d2a48fd1643280141a5b7f43a7a7b0a9391b68bb6dcad65c879c
-
\Users\Admin\AppData\Local\Temp\nsd8566.tmp\ZipDLL.dllFilesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901