290eb796af5c083cb1c147c36eab4f3cde6eb93dae2ba5617a82d8a5701eeb2c

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe
Size

643KB
MD5

04eed17ccec6e9df9b7bd514a01d4aed
SHA1

252f6d0d39b26a669e232933972e1c2851325721
SHA256

290eb796af5c083cb1c147c36eab4f3cde6eb93dae2ba5617a82d8a5701eeb2c
SHA512

055f9fcb897ec27e9c5c0ba6ecb006792e0531b4ad08446bc85317565bef1acddd7298f216792b20f3c85a374f222ab77b116c5648fca99960e858c827cfe9a7
SSDEEP

12288:e6PxfmeFqKL34rMeG/iCOeWx38wzGMUW/KMRj7VVAr4TQPT3RZTafc8vy4hR:eyxOe8Kr4oeGieWx38ygWSWPVCU8P7RM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	bedfhegfcb.exe

Loads dropped DLL 2 IoCs

pid	Process
4084	04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe
4084	04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	2016	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: 36	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: 36	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: 36	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2016	4084	04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe	82
PID 4084 wrote to memory of 2016	4084	04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe	82
PID 4084 wrote to memory of 2016	4084	04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe	82
PID 2016 wrote to memory of 2752	2016	bedfhegfcb.exe	84
PID 2016 wrote to memory of 2752	2016	bedfhegfcb.exe	84
PID 2016 wrote to memory of 2752	2016	bedfhegfcb.exe	84
PID 2016 wrote to memory of 1640	2016	bedfhegfcb.exe	88
PID 2016 wrote to memory of 1640	2016	bedfhegfcb.exe	88
PID 2016 wrote to memory of 1640	2016	bedfhegfcb.exe	88
PID 2016 wrote to memory of 1072	2016	bedfhegfcb.exe	90
PID 2016 wrote to memory of 1072	2016	bedfhegfcb.exe	90
PID 2016 wrote to memory of 1072	2016	bedfhegfcb.exe	90
PID 2016 wrote to memory of 1944	2016	bedfhegfcb.exe	93
PID 2016 wrote to memory of 1944	2016	bedfhegfcb.exe	93
PID 2016 wrote to memory of 1944	2016	bedfhegfcb.exe	93
PID 2016 wrote to memory of 4296	2016	bedfhegfcb.exe	95
PID 2016 wrote to memory of 4296	2016	bedfhegfcb.exe	95
PID 2016 wrote to memory of 4296	2016	bedfhegfcb.exe	95

C:\Users\Admin\AppData\Local\Temp\04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04eed17ccec6e9df9b7bd514a01d4aed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\bedfhegfcb.exe
  C:\Users\Admin\AppData\Local\Temp\bedfhegfcb.exe 9]3]5]3]0]1]1]3]9]5]4 Jk1EQT0xMDAuKxwmUFA/UEhDOicbK0VCT1RPUUpGOzgsFyw/RlNTSEE0LTMwLS4dL0JIQTQrHCZNTUxEVEJRVkRANC8yLjM1HyxKQE5NQk1cVVFLOl9vcGc3KixzcXUrO0BPQipPTFAsQE1HKUVFQ0odL0JLRjpGRTs6LC8zMzQzFypAKDosLjEwHyw7LTkkLhssRDI8KigbKzsxOCoxHy5BLDgpKB0qTVJOQ1I6T1tHT0RTQUJYOhcqTElMP1JDU15CTEc9NB0qTVJOQ1I6T1tFPkhCPUJnMhwtLDx1b29hbnFhYGldaXYgLzBPZGxnZ2EcLytKeSQxLT1cX1wiLS1pciQvJ0Bda2ZpZCUxL0pcIC4nPmdmdmQkLydLQEtTIC8wdzEzKyAuJz48HS9EV0JWUE5DOhssRVdEXDpIQENGSUI9Hy5FRk5QVj9NTFdSRE80LRwmUUM+TkpYTExaUUlJOB0vVUw6KRsrO1AsOmJga2lcbS0XLE1STlNISjxaUzxJPkxNREhKOEJBTE9HOiAuSFBWTVFFUURKRTxzb2xgHCZPQFFVUU1GRUJbTFBAT19DQFZKOC4XLENGRERXOigbK0BQWkFZTUBKQD5bPEs+T1lPU0I7OGJYaW5iIC5DTE5JSEY+P1xJTzwwKCktLTUpLzM1LS4rMRwmUURKRTwwMSowMy0vMTI3Hy5BRlJKQ0w8QV9TSEo8ODMmLiovMDA0Jyk1MS43LjQqT0w=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714298277.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714298277.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714298277.txt bios get version
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714298277.txt bios get version
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714298277.txt bios get version
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 864
    3⤵
    - Program crash
    PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714298277.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81714298277.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81714298277.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedfhegfcb.exe

Filesize
763KB

MD5
024d7fceee017bbac4065812abf14ee9

SHA1
890e1f8dc9db076e8114b6ab2d3718e2fabf70ce

SHA256
7baf9b7c78ffab232e3a13eaeaa65f9fcd453d77630bd7a0c8a78387fc5653f8

SHA512
137cbbc8e1d5daf521f89cba14de9d2400152336db2a4251b8ab05735ee1a3b38859bd52d0332e8b70d01f25d336bfcf7a9d36cb87bb8d70c9c31dc892ef73ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4E02.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4E02.tmp\docqoul.dll

Filesize
166KB

MD5
53151bef33d66c48ac125453d985793f

SHA1
c7698b54280742fe8dc745ce736e8e4344c09477

SHA256
014565ad3a80d4767fbd327ea6b078fce2e80017cba355c302c91aa034984eaf

SHA512
b2f3e118573c037bf759d2b7fb5ee5278abc574244d635d21eef0018aa062429fe03ad0a4256b1a1b1f16070d3819f99d728442a74e02d4ece7ceec5ea4ec041

Download Submit