Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 22:39

General

  • Target

    03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    03c98422dc76b44642c9915cac8689e2

  • SHA1

    fa166b50c812393f5dfe874bd1d416ea150cd5af

  • SHA256

    cc7ba2aa2b2f23b11f2bc4608eaa6b8e465d00733c14ad42f155abf6606baf1d

  • SHA512

    3bb484e01d7f0e087056573e35443638d61fa78a60734deb89d1ad27d0dc0cd82e445eb3b1f23677c041663b50743cc558655fbc7835a355d1fcbff771e4e713

  • SSDEEP

    24576:FbSaE4mvt/OjXQ/AJoq/jlxtdp2us7JdHf:FbSv4mv0jQZq/RxK7jHf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\1430557336.exe
        C:\Users\Admin\AppData\Local\Temp\1430557336.exe 0^4^6^2^5^5^1^4^8^5^4 L0xDQjgsMiwvLhwvT09AS0RDOSgbK05BTlVKTUpFPDgsICs+R05PSEA1LTA4MzEeKj5IQDUrHC9MTE0/UEJQV0RAPS8tMDAbLk89TVJFTllTTUc8ZGxvbDorKXFtcS1APU5HLVBJTig8T0wmREpGSxotPkdIP0NEQD1pbC8rU0lCbHVLICs+LzhJVEk6QE4gKz4wOCgwHCc/Lz0pKx4qPzM5JSwcL0AvOygsHytITUtEUT1SWktRRU48P1k5Gi1LTU5ATT5QX0FPSjw4HytITUtEUT1SWklAST04HC9BUkNaUFFINRsrRVQ/XT5IQ0hBSUE9HClGSk5TWzpNS1dPP1A4LR8rTEM9TkdTTVBaVE5EOBwvUkc7LRsuQEssOSArTFNJT0hJPVpTRUg9TUhASEk5QkFVTkY7GypIT1dNUU5QQ0tAOHNubWAcL04/UlBNTUVGQltVTz9QWj9AVUs4LiArQkc/QFc5KRsrSU9ZQlRJQElBPltFSj1QVEtTQTw4YmFobWMbKkNLT0lITz0+XURLPC0wMCo0LigvLTMtMCgbK1RFR0M4LDMvKDAyOTMqMRsqQ0tPSUhPPT5dT0RMQTUwKzIrLC4sMCktKjUuODYsMSVLTBwnUD09SWl4ZGdrXR0tYjUqKikjUmhqXGpzcydIUiYxLS0hJj1wbGZjUmBhR2FvITJiLzEyKTIyIyNHSFBHSiAtYidkZGdlJ0FjXmZuJSM+ZHJrZ2MgLWUwKiksLi4tLywpMC8tJk9hYltwZCAxYi0uMy4vMB4qUFFINWNwdGwfMVwgMWIdLWJnYW4sKywwNGIpZW5iaSMtYVFxZk9lbWE+bXJpa2tZX0lhaltlYG1eYF1raG91HzBhLDMvKDAyOTMqLyAtZS0sLiw1MjM1KywkLl4sMDMsLzQ0Mi8tHS5iNi8zNDQtMDExMTVZU0RwSD43NVp1Y29ITWFzSEEtXUlAQXZHdy9zR1NRMUdpLGpLdFFvSjtqYFhlLi5OQHdISVA+SkVAbmhVa2xkVENJNFtFZm1JLUJDTFcxclJOUWpTZWdoTnUyYl9CQXFIPiw=
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get serialnumber
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1528
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2020
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version
          4⤵
            PID:2840
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version
            4⤵
              PID:2272
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 368
              4⤵
              • Loads dropped DLL
              • Program crash
              PID:1348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\1430557336.exe

        Filesize

        764KB

        MD5

        463a2719b716b51902f7be46d2044f14

        SHA1

        59f9bbcf88bd944e844baa225634f5733844cffb

        SHA256

        5713fb5b1bb776da9d0dacf6c3943a133d26791df67da136805b2c8bbcc8171c

        SHA512

        4e2694e497b6c0aa1246eec0588cc83639385f76bbbaac9034b98759672b86fa2f5ef91e73163edfb99ed964a268ccc956cbb6e7fc13a563a67b1f2233d3359f

      • C:\Users\Admin\AppData\Local\Temp\81714257548.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\File.exe

        Filesize

        558KB

        MD5

        adf590c9241589e963b0c7c96d9eb839

        SHA1

        65b942dd5cdfc2be6b0bc24371383951a98c117c

        SHA256

        fe31629b3787114cc555f90b21c3a58da8a3380a5b6e0347496bf8f52b063e64

        SHA512

        a3132fa50dbbba4bf08fee8c35705292e951b1f21bd372e70a438d6cbae030cae66843639cee32a36055edfab00d717dad5a4770134a2a79099659b3b4faad9d

      • C:\Users\Admin\AppData\Local\Temp\Tar1730.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\nsd1B10.tmp\dhihhg.dll

        Filesize

        126KB

        MD5

        09c0a8445c727b6cdee796a9a58b5482

        SHA1

        e654bd7418601f7205b2632c8bf32c29295384f9

        SHA256

        e363e4886f4a87644efc9a2515c0a98c054f50b02fc5fb58b540e041ad0d70d3

        SHA512

        3a43a904ea11bc1b70580da33196073e6f3a53841342ff755845f4eff94f4009b1fd496a57b2a38f36bb9dadbb87af92ca8ab9222547d780db081dc0a6ae0b85

      • \Users\Admin\AppData\Local\Temp\nsd1B10.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

      • memory/3028-7-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

        Filesize

        9.6MB

      • memory/3028-8-0x0000000000AE0000-0x0000000000B60000-memory.dmp

        Filesize

        512KB

      • memory/3028-61-0x0000000000F30000-0x0000000000FA8000-memory.dmp

        Filesize

        480KB

      • memory/3028-106-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

        Filesize

        9.6MB

      • memory/3028-107-0x0000000000AE0000-0x0000000000B60000-memory.dmp

        Filesize

        512KB