156b80146ad1303272d8313690449ae9773a18c58af1ce0c2da33e59aadbbc7f

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe
Size

595KB
MD5

2146858ff3deaaa0f496eba2efac416e
SHA1

1219901deb683f19bd85cfd3e13ff3aee9cddc03
SHA256

156b80146ad1303272d8313690449ae9773a18c58af1ce0c2da33e59aadbbc7f
SHA512

cf1a845ba576fd2ad33c54af86e02fb79194c2d0002c1342821d05dc4d8312a8434044accf0da957a00b7f5ec755fafe3aa9501094a557bf25fe7512521aa773
SSDEEP

12288:Dmigkn9dpJPBGodX9wuJqkRBE9thsa8RhYL2PuFcHql:DmixnthXWGBYm/Y6uGq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	ccfcabfidbbf.exe

Loads dropped DLL 10 IoCs

pid	Process
3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe
3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe
3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1352	2632	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2988	wmic.exe
Token: SeSecurityPrivilege	2988	wmic.exe
Token: SeTakeOwnershipPrivilege	2988	wmic.exe
Token: SeLoadDriverPrivilege	2988	wmic.exe
Token: SeSystemProfilePrivilege	2988	wmic.exe
Token: SeSystemtimePrivilege	2988	wmic.exe
Token: SeProfSingleProcessPrivilege	2988	wmic.exe
Token: SeIncBasePriorityPrivilege	2988	wmic.exe
Token: SeCreatePagefilePrivilege	2988	wmic.exe
Token: SeBackupPrivilege	2988	wmic.exe
Token: SeRestorePrivilege	2988	wmic.exe
Token: SeShutdownPrivilege	2988	wmic.exe
Token: SeDebugPrivilege	2988	wmic.exe
Token: SeSystemEnvironmentPrivilege	2988	wmic.exe
Token: SeRemoteShutdownPrivilege	2988	wmic.exe
Token: SeUndockPrivilege	2988	wmic.exe
Token: SeManageVolumePrivilege	2988	wmic.exe
Token: 33	2988	wmic.exe
Token: 34	2988	wmic.exe
Token: 35	2988	wmic.exe
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2632	3036	2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe	28
PID 2632 wrote to memory of 2616	2632	ccfcabfidbbf.exe	29
PID 2632 wrote to memory of 2616	2632	ccfcabfidbbf.exe	29
PID 2632 wrote to memory of 2616	2632	ccfcabfidbbf.exe	29
PID 2632 wrote to memory of 2616	2632	ccfcabfidbbf.exe	29
PID 2632 wrote to memory of 2988	2632	ccfcabfidbbf.exe	32
PID 2632 wrote to memory of 2988	2632	ccfcabfidbbf.exe	32
PID 2632 wrote to memory of 2988	2632	ccfcabfidbbf.exe	32
PID 2632 wrote to memory of 2988	2632	ccfcabfidbbf.exe	32
PID 2632 wrote to memory of 2412	2632	ccfcabfidbbf.exe	34
PID 2632 wrote to memory of 2412	2632	ccfcabfidbbf.exe	34
PID 2632 wrote to memory of 2412	2632	ccfcabfidbbf.exe	34
PID 2632 wrote to memory of 2412	2632	ccfcabfidbbf.exe	34
PID 2632 wrote to memory of 2488	2632	ccfcabfidbbf.exe	36
PID 2632 wrote to memory of 2488	2632	ccfcabfidbbf.exe	36
PID 2632 wrote to memory of 2488	2632	ccfcabfidbbf.exe	36
PID 2632 wrote to memory of 2488	2632	ccfcabfidbbf.exe	36
PID 2632 wrote to memory of 732	2632	ccfcabfidbbf.exe	38
PID 2632 wrote to memory of 732	2632	ccfcabfidbbf.exe	38
PID 2632 wrote to memory of 732	2632	ccfcabfidbbf.exe	38
PID 2632 wrote to memory of 732	2632	ccfcabfidbbf.exe	38
PID 2632 wrote to memory of 1352	2632	ccfcabfidbbf.exe	40
PID 2632 wrote to memory of 1352	2632	ccfcabfidbbf.exe	40
PID 2632 wrote to memory of 1352	2632	ccfcabfidbbf.exe	40
PID 2632 wrote to memory of 1352	2632	ccfcabfidbbf.exe	40

C:\Users\Admin\AppData\Local\Temp\2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2146858ff3deaaa0f496eba2efac416e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\ccfcabfidbbf.exe
  C:\Users\Admin\AppData\Local\Temp\ccfcabfidbbf.exe 2-1-3-5-4-6-6-3-2-7-9 LU9GPzkrMjYyKRctUlI9TEM+Oi4ZJkxEUVJLTEVGQjYoHi5BRE9OQ0E7KywuOC8bKz1DQTspFy1PT0pATz1RXUI7OzExLTMyGixRPklURE9aUUxGOmZta245LCpvX2xzLG1fYyxea2wnXl5yWiVnbWNqHCk9SUc8QkdDOhsrPis6LhkmQjE6KC0aKUExNiQvHyw/MDcnLh4oOzM8KiwcKUpPTT1MQVNcS05DUD5BUjQeLk1NSz5PQFJYPFNLPjgcKUpPTT1MQVNcST1HPzpIWm1fJC8rTm9ocWdmXCMxLUBqcGNvbWdkY21xGys/UkJdTklKPGVvcGo0LC1aZ25ycG9dbmNgMF9bMnJiMGFnKHAxJ1hrYHdqaltxcCxcZmsuZ21hJzFyNCkkdWhrX2txbSpnLi80LWJzYRopQlY+VkFMQUdFSD86Hig/TVJRWj5MSVRRPkk7MR0qUEI7S0lSRlNeUk1INxosVEY0MB8sP08rN3JJcUVoZzRjTE5jNE9tYTVvVUZec09CYGc4Zk1vLnBjSjRwYlBnZTVSdWEtNlhbKXB1d0U+KkZVNGUvQ2p0Wkk/b19BcydDY1FCakBuQ1QsSng1YU5IPFxLYzw6QTR2QC0/S1xCPWhlMFRJaGJxcFdRSkhPbGdSQ2YtY0JsQnROS11nMmdfTzBVNi51S1Nic3VSZWpmdURma0pQNXI5dlZVTFNlRUw1aSxWYisbK0xPS1JCRENeVEBIPUlKQ0JEP0ZCUE5GNx0tQkpdUVJJUENHQjttaXNkHSpOP05SUEdATEZcUE8/TFxCOlBRPC8bK0JDQUNRNC8fLERPWT5WTDpER0JcQEo9TFZOTTxCPGNcaG1fHS09RlVNSUo9PllGTjYsLi0uMjUoKzQ3JykyNB0qUENHQjsqKzAzNTQyMSwzHig7TVZLR0s7PlxSQkRDPC8qLi8pLy
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715108394.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715108394.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715108394.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715108394.txt bios get version
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715108394.txt bios get version
    3⤵
    PID:732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81715108394.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\ccfcabfidbbf.exe

Filesize
809KB

MD5
bc111e35bf27aa67c0577e31626edf6e

SHA1
9092ea7c0c4aa4dd3792c6d0b7c82c6cd82552c2

SHA256
f91297879430e2530a5e69dd2b441de26dece266f48281720ef39d0b91593b44

SHA512
3977e8fb4b62cbd68c3aaef52426ed23574c17fb3f2d6a44136a3df836cc57fd1b8d27c6ba5bf4087941ef8758fb2d63e1bee1d43faa67c67023ff4a43d5264c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\hug.dll

Filesize
120KB

MD5
723a2a8598c45c182aa68520343af9bb

SHA1
4f3562eebed639169e3c77669dbc2d5eb2cbe6e1

SHA256
cbae224828c16bfce4538f77b6817205f8f8e8ecb70373bb213849a015ed8ded

SHA512
cb97e8aa6ba0cf2c36df7bbc8134121bafcd581d2fffbd23f1c2c681dad8108a556024a52bb606e38466023ca9dad3302ff6ebb6baf469b220942f8565ec774b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd74A4.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit