e6dbe8a4bbb6d337ad5b42ada7b7323552e33c503a58f4d5ed7a5792df9a9e13

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe
Size

339KB
MD5

10516b313f7cc36c07918f6fe6666017
SHA1

0292ad3a8a8f879af013f27b486a1091445637b0
SHA256

e6dbe8a4bbb6d337ad5b42ada7b7323552e33c503a58f4d5ed7a5792df9a9e13
SHA512

02119628e796514f7197dde806ec18d8fc1fab6a0f8d65f2dda2fcfa13dce0984f4607497bc325017111b3bfef648ef8ce0e740639c8fcf5b4bd6ad52dca76d5
SSDEEP

6144:UFJ0VtdtHbhiRh7Sm12P1pPWxHsvlP++6H4xcRvwiaT2phmQwNmGkgb:13tG7Sm0PW8oH4qX3phmVm8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	beeiibcjea.exe

Loads dropped DLL 5 IoCs

pid	Process
3048	10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	1708	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2656	wmic.exe
Token: SeSecurityPrivilege	2656	wmic.exe
Token: SeTakeOwnershipPrivilege	2656	wmic.exe
Token: SeLoadDriverPrivilege	2656	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1708	3048	10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe	28
PID 3048 wrote to memory of 1708	3048	10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe	28
PID 3048 wrote to memory of 1708	3048	10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe	28
PID 3048 wrote to memory of 1708	3048	10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe	28
PID 1708 wrote to memory of 2268	1708	beeiibcjea.exe	29
PID 1708 wrote to memory of 2268	1708	beeiibcjea.exe	29
PID 1708 wrote to memory of 2268	1708	beeiibcjea.exe	29
PID 1708 wrote to memory of 2268	1708	beeiibcjea.exe	29
PID 1708 wrote to memory of 2572	1708	beeiibcjea.exe	32
PID 1708 wrote to memory of 2572	1708	beeiibcjea.exe	32
PID 1708 wrote to memory of 2572	1708	beeiibcjea.exe	32
PID 1708 wrote to memory of 2572	1708	beeiibcjea.exe	32
PID 1708 wrote to memory of 2656	1708	beeiibcjea.exe	34
PID 1708 wrote to memory of 2656	1708	beeiibcjea.exe	34
PID 1708 wrote to memory of 2656	1708	beeiibcjea.exe	34
PID 1708 wrote to memory of 2656	1708	beeiibcjea.exe	34
PID 1708 wrote to memory of 2664	1708	beeiibcjea.exe	36
PID 1708 wrote to memory of 2664	1708	beeiibcjea.exe	36
PID 1708 wrote to memory of 2664	1708	beeiibcjea.exe	36
PID 1708 wrote to memory of 2664	1708	beeiibcjea.exe	36
PID 1708 wrote to memory of 2592	1708	beeiibcjea.exe	38
PID 1708 wrote to memory of 2592	1708	beeiibcjea.exe	38
PID 1708 wrote to memory of 2592	1708	beeiibcjea.exe	38
PID 1708 wrote to memory of 2592	1708	beeiibcjea.exe	38
PID 1708 wrote to memory of 1816	1708	beeiibcjea.exe	40
PID 1708 wrote to memory of 1816	1708	beeiibcjea.exe	40
PID 1708 wrote to memory of 1816	1708	beeiibcjea.exe	40
PID 1708 wrote to memory of 1816	1708	beeiibcjea.exe	40

C:\Users\Admin\AppData\Local\Temp\10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10516b313f7cc36c07918f6fe6666017_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\beeiibcjea.exe
  C:\Users\Admin\AppData\Local\Temp\beeiibcjea.exe 8/7/9/8/4/9/0/9/7/1/8 J0lAPDkoOS8tMRgnTEw6TEBENCkfJ0Y+S09LSUtAPTwpGCg7QU9LSTs2MTEuKTAYKzpJOzYvGCdJSUdATENLWEg8NSsvMDIrICZMREpOPklXUUlMNGFzbGgzJidvaXYlPURLQyZLR0wkQUdJLUFGP0YYKzpMQDxKQTw2FydAKD0kKh8nPCs0JS0XLzssPCUpGSY8MDQtKBkuPC02JCkcJlBJSENNO01WSE5AVjg8WDUYKEdKSztVOk1ePU1FODUcJlBJSENNO01WRj1ERTRed10YKDxQQVZVSUU8GCc+Tz1bOk07RUhGPTYXJ0RGU0tYQUpHUEo9TjQ1FyhTQDlHQlFLTF9MS0s1GChNRTkpICY9Uik1GSZKUUVUQEZEV08+QztLREVARkA/PU5JRDkXL0BMXkpNR0tBSTw9a2t0XRgoST1QTFJFQk0/V05KPU5WRDhSUjUqGSZARTtFTzYwGCdCSldAUE44Rkg7Vz5FO05QUEs+QzVeWmNrYRcvO0hWRkRIODxbQFA0Ky8wJiooKCowMyUqMSoYKEc5TjhMQz5LV0FHSkw9Q0w0bXFtXRkmTEVERTQqMywwMSkoMC84FyhDR09HQ0c9O19LQkw9NSooJy4wLykpMC0iLzEoNDEwLyNPRQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714732701.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714732701.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714732701.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714732701.txt bios get version
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81714732701.txt bios get version
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81714732701.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeiibcjea.exe

Filesize
538KB

MD5
54fa8dd2d61c6dd39fe304e26620d36d

SHA1
177332ee322db4f3c41cbc93d2f77ce9c5657267

SHA256
dccc0c35c9c633afe40c4e2db6b2b55cb836887e2d48540f835b4a0bb9ed7b6e

SHA512
fbea379fbb25dbc740668883200eb5857538d20b08ed38af09a05f8b8f985a41ef1da1dfb1ac8cdc5c456457390624118fd121c5b65c85a3728fff6a94f99923

Download Submit