a14c7568c90da24416944fc7948a5d301bc38e1e19f712df9598058796c1efa5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
Size

695KB
MD5

203d684846bd106db60a129d7927f8bc
SHA1

423b0dcc3eb34bb7ee85f0212ad1a9f314b61e39
SHA256

a14c7568c90da24416944fc7948a5d301bc38e1e19f712df9598058796c1efa5
SHA512

fef4e20d66b77cb9661d51dd37d5ceb4b3dfa9c6efcb2d1deca8c28fd78adda0ac87d664de20b89ad491dca2f2587e31ef7d24b2b39930b0e12e4de2dd49b356
SSDEEP

12288:JS108K7ezo/yVf8IOOharx8B1/ty00yGmszAbBwcl9agnHVwb1DAI3nx:JSieM/yVUHiBx0AGXIykaS1I1cIh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	1432288920.exe

Loads dropped DLL 11 IoCs

pid	Process
2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2264	2724	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe
Token: SeSystemProfilePrivilege	2648	wmic.exe
Token: SeSystemtimePrivilege	2648	wmic.exe
Token: SeProfSingleProcessPrivilege	2648	wmic.exe
Token: SeIncBasePriorityPrivilege	2648	wmic.exe
Token: SeCreatePagefilePrivilege	2648	wmic.exe
Token: SeBackupPrivilege	2648	wmic.exe
Token: SeRestorePrivilege	2648	wmic.exe
Token: SeShutdownPrivilege	2648	wmic.exe
Token: SeDebugPrivilege	2648	wmic.exe
Token: SeSystemEnvironmentPrivilege	2648	wmic.exe
Token: SeRemoteShutdownPrivilege	2648	wmic.exe
Token: SeUndockPrivilege	2648	wmic.exe
Token: SeManageVolumePrivilege	2648	wmic.exe
Token: 33	2648	wmic.exe
Token: 34	2648	wmic.exe
Token: 35	2648	wmic.exe
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe
Token: SeSystemProfilePrivilege	2648	wmic.exe
Token: SeSystemtimePrivilege	2648	wmic.exe
Token: SeProfSingleProcessPrivilege	2648	wmic.exe
Token: SeIncBasePriorityPrivilege	2648	wmic.exe
Token: SeCreatePagefilePrivilege	2648	wmic.exe
Token: SeBackupPrivilege	2648	wmic.exe
Token: SeRestorePrivilege	2648	wmic.exe
Token: SeShutdownPrivilege	2648	wmic.exe
Token: SeDebugPrivilege	2648	wmic.exe
Token: SeSystemEnvironmentPrivilege	2648	wmic.exe
Token: SeRemoteShutdownPrivilege	2648	wmic.exe
Token: SeUndockPrivilege	2648	wmic.exe
Token: SeManageVolumePrivilege	2648	wmic.exe
Token: 33	2648	wmic.exe
Token: 34	2648	wmic.exe
Token: 35	2648	wmic.exe
Token: SeIncreaseQuotaPrivilege	2984	wmic.exe
Token: SeSecurityPrivilege	2984	wmic.exe
Token: SeTakeOwnershipPrivilege	2984	wmic.exe
Token: SeLoadDriverPrivilege	2984	wmic.exe
Token: SeSystemProfilePrivilege	2984	wmic.exe
Token: SeSystemtimePrivilege	2984	wmic.exe
Token: SeProfSingleProcessPrivilege	2984	wmic.exe
Token: SeIncBasePriorityPrivilege	2984	wmic.exe
Token: SeCreatePagefilePrivilege	2984	wmic.exe
Token: SeBackupPrivilege	2984	wmic.exe
Token: SeRestorePrivilege	2984	wmic.exe
Token: SeShutdownPrivilege	2984	wmic.exe
Token: SeDebugPrivilege	2984	wmic.exe
Token: SeSystemEnvironmentPrivilege	2984	wmic.exe
Token: SeRemoteShutdownPrivilege	2984	wmic.exe
Token: SeUndockPrivilege	2984	wmic.exe
Token: SeManageVolumePrivilege	2984	wmic.exe
Token: 33	2984	wmic.exe
Token: 34	2984	wmic.exe
Token: 35	2984	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2724	2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2724	2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2724	2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2724	2320	203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe	28
PID 2724 wrote to memory of 2648	2724	1432288920.exe	29
PID 2724 wrote to memory of 2648	2724	1432288920.exe	29
PID 2724 wrote to memory of 2648	2724	1432288920.exe	29
PID 2724 wrote to memory of 2648	2724	1432288920.exe	29
PID 2724 wrote to memory of 2984	2724	1432288920.exe	32
PID 2724 wrote to memory of 2984	2724	1432288920.exe	32
PID 2724 wrote to memory of 2984	2724	1432288920.exe	32
PID 2724 wrote to memory of 2984	2724	1432288920.exe	32
PID 2724 wrote to memory of 2620	2724	1432288920.exe	34
PID 2724 wrote to memory of 2620	2724	1432288920.exe	34
PID 2724 wrote to memory of 2620	2724	1432288920.exe	34
PID 2724 wrote to memory of 2620	2724	1432288920.exe	34
PID 2724 wrote to memory of 2492	2724	1432288920.exe	36
PID 2724 wrote to memory of 2492	2724	1432288920.exe	36
PID 2724 wrote to memory of 2492	2724	1432288920.exe	36
PID 2724 wrote to memory of 2492	2724	1432288920.exe	36
PID 2724 wrote to memory of 2488	2724	1432288920.exe	38
PID 2724 wrote to memory of 2488	2724	1432288920.exe	38
PID 2724 wrote to memory of 2488	2724	1432288920.exe	38
PID 2724 wrote to memory of 2488	2724	1432288920.exe	38
PID 2724 wrote to memory of 2264	2724	1432288920.exe	40
PID 2724 wrote to memory of 2264	2724	1432288920.exe	40
PID 2724 wrote to memory of 2264	2724	1432288920.exe	40
PID 2724 wrote to memory of 2264	2724	1432288920.exe	40

C:\Users\Admin\AppData\Local\Temp\203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\203d684846bd106db60a129d7927f8bc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\1432288920.exe
  C:\Users\Admin\AppData\Local\Temp\1432288920.exe 4\5\5\9\1\8\3\0\7\0\8 K0tEOzwpNjMvMxgrTlA5T0FBPSkgJ0pAT05OSkhJPT0pIS0rZ3FnYXVcdGZdaGA0UV1mbVpnXRwqP0BSTEZENjIvMywtFy47RkQ2MBgrS01GQ01AVFhJPDktMTAzKx0vTEVKUkBNVlRKST1hdGxsNSomcmpzLj1FS0coT0ZPJT5QSS5BSkFKFy47SUk8S0FAOBsmQyk6LSogJ0AtOCQwGCxELD0lLRsqOzM1KjEZLzwxOCgoHydNUkhETT9PWkdRQVNBPFk1HCpLSU48UkNNXz1RRzw0HydNUkhETT9PWkVARUI9GS89VEBaTFFEOiAoRVBBWj5EQ0RGTj49GCtDSkpTVz9SSFdLQU04LB8nUUg6TkNVSlBWVEpJPRkvTkk4LRcuPFAxNiAnTlBJS0hFQl9QRUQ/Skg8SEU+Rz5VSkg4GyZIS1xSTk5MRUhANHNqcmUZL0pBT1BJTUFLR1hVS0FNWjtAUVA9KyAnREQ/PFc1LiAoSUtbP1RFQEVGQ1hFRj9NVEdTPUE9X2Fkb2AbJkNHVE5FTzlAWkRHPDEvLis0KiosLC0tKTQxGS9MRUhANDAsMDIrOSwtLi0XLjxMV0dMRz0/WktIRUI9Li8qLiotJzAtJzEqOio0NTApKTlKIChVOTkbKkxRRDpobXRoIS5cHDFeIjJfZ11wbSldaGRiOF1la2dvamctW2xtHjJeTnBpS2hlYkRod2ZoalxbTFlrYWBlaltfYGdrZ3YlK2YqLi0tKTEqLzIrMiouLSApZVxsd2dsZ11faFhtWWRlayUqYmJgazQuIjNfcB0vXywwMi4wJSs2XCEuXyk2Ly4yHjIuaCAuWzEuNjQsJSoyaSAqYykocGtvXHFeb2VgZWIlLGRKYWRoWGZdIjIvZmFoYGlYbF0iM11SXWVoXF5k
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715075555.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715075555.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715075555.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715075555.txt bios get version
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715075555.txt bios get version
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1432288920.exe

Filesize
1021KB

MD5
5fa1af36567c95f6c4ebb9576543d166

SHA1
98a6ade5938f56e02e9babc6d2f6c59b1f0e660a

SHA256
c13365946f7c005a494c9615c4021a8d2cf54631bbe268a05828a96b4536d990

SHA512
4cd22dcbcbc1bec02a07584c66988c6cbd4badaf73b9858b59c0913dc6c669fc014397c85a8c0a63a7907d5e7d645bc701853c10102a0dab7e3dc9cdf0e595e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715075555.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1085.tmp\loasdns.dll

Filesize
158KB

MD5
78f8ef43927ce34ee11d03bdc99c615f

SHA1
808f38fd71070ff2fbc3f365ce796a9497486d1f

SHA256
b79b5641fcb66d785a2bbd6342c75c00f5099ae20691cd063258a2848a24efe2

SHA512
9807ddfede0b8673692bb1160da5362d268e27294706af90fc7b05c48dc51a720fcb77a72ab891b4affb8baa1ad21fd452c99d2a1de1ce91c6ca5fe6aa14af6c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1085.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit