207f30038099fc9f6ba643b1c8b5817a13e56bd5e70cd31fddc0184fbf377ab8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
Size

581KB
MD5

2c4f87d2db814b7e96d04c7c62ef2261
SHA1

e7900d03b63c169fe27f8346336196eaf98bcc05
SHA256

207f30038099fc9f6ba643b1c8b5817a13e56bd5e70cd31fddc0184fbf377ab8
SHA512

3339a3c9cc0b05ef69058f0ab006fe6c5b530c3df04c46e9121b234b1a9434a24ba1f918a7932ebe84ae8edb2ba713d3d3f1bca81d8a2a0ab9db6cc761702a58
SSDEEP

12288:XDC73yJg1PYuWJp9f++3QLa3nL0lqLbt3nQgfGA2reW4AfAcktWTEmv:XDwug1gxfZ3QLKniqN3nQgf6rH4ckWr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	1431842551.exe

Loads dropped DLL 11 IoCs

pid	Process
2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	2632	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe
Token: SeSystemProfilePrivilege	2520	wmic.exe
Token: SeSystemtimePrivilege	2520	wmic.exe
Token: SeProfSingleProcessPrivilege	2520	wmic.exe
Token: SeIncBasePriorityPrivilege	2520	wmic.exe
Token: SeCreatePagefilePrivilege	2520	wmic.exe
Token: SeBackupPrivilege	2520	wmic.exe
Token: SeRestorePrivilege	2520	wmic.exe
Token: SeShutdownPrivilege	2520	wmic.exe
Token: SeDebugPrivilege	2520	wmic.exe
Token: SeSystemEnvironmentPrivilege	2520	wmic.exe
Token: SeRemoteShutdownPrivilege	2520	wmic.exe
Token: SeUndockPrivilege	2520	wmic.exe
Token: SeManageVolumePrivilege	2520	wmic.exe
Token: 33	2520	wmic.exe
Token: 34	2520	wmic.exe
Token: 35	2520	wmic.exe
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe
Token: SeSystemProfilePrivilege	2520	wmic.exe
Token: SeSystemtimePrivilege	2520	wmic.exe
Token: SeProfSingleProcessPrivilege	2520	wmic.exe
Token: SeIncBasePriorityPrivilege	2520	wmic.exe
Token: SeCreatePagefilePrivilege	2520	wmic.exe
Token: SeBackupPrivilege	2520	wmic.exe
Token: SeRestorePrivilege	2520	wmic.exe
Token: SeShutdownPrivilege	2520	wmic.exe
Token: SeDebugPrivilege	2520	wmic.exe
Token: SeSystemEnvironmentPrivilege	2520	wmic.exe
Token: SeRemoteShutdownPrivilege	2520	wmic.exe
Token: SeUndockPrivilege	2520	wmic.exe
Token: SeManageVolumePrivilege	2520	wmic.exe
Token: 33	2520	wmic.exe
Token: 34	2520	wmic.exe
Token: 35	2520	wmic.exe
Token: SeIncreaseQuotaPrivilege	2420	wmic.exe
Token: SeSecurityPrivilege	2420	wmic.exe
Token: SeTakeOwnershipPrivilege	2420	wmic.exe
Token: SeLoadDriverPrivilege	2420	wmic.exe
Token: SeSystemProfilePrivilege	2420	wmic.exe
Token: SeSystemtimePrivilege	2420	wmic.exe
Token: SeProfSingleProcessPrivilege	2420	wmic.exe
Token: SeIncBasePriorityPrivilege	2420	wmic.exe
Token: SeCreatePagefilePrivilege	2420	wmic.exe
Token: SeBackupPrivilege	2420	wmic.exe
Token: SeRestorePrivilege	2420	wmic.exe
Token: SeShutdownPrivilege	2420	wmic.exe
Token: SeDebugPrivilege	2420	wmic.exe
Token: SeSystemEnvironmentPrivilege	2420	wmic.exe
Token: SeRemoteShutdownPrivilege	2420	wmic.exe
Token: SeUndockPrivilege	2420	wmic.exe
Token: SeManageVolumePrivilege	2420	wmic.exe
Token: 33	2420	wmic.exe
Token: 34	2420	wmic.exe
Token: 35	2420	wmic.exe
Token: SeIncreaseQuotaPrivilege	2140	wmic.exe
Token: SeSecurityPrivilege	2140	wmic.exe
Token: SeTakeOwnershipPrivilege	2140	wmic.exe
Token: SeLoadDriverPrivilege	2140	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2632	2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2632	2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2632	2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2632	2240	2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe	28
PID 2632 wrote to memory of 2520	2632	1431842551.exe	29
PID 2632 wrote to memory of 2520	2632	1431842551.exe	29
PID 2632 wrote to memory of 2520	2632	1431842551.exe	29
PID 2632 wrote to memory of 2520	2632	1431842551.exe	29
PID 2632 wrote to memory of 2420	2632	1431842551.exe	32
PID 2632 wrote to memory of 2420	2632	1431842551.exe	32
PID 2632 wrote to memory of 2420	2632	1431842551.exe	32
PID 2632 wrote to memory of 2420	2632	1431842551.exe	32
PID 2632 wrote to memory of 2140	2632	1431842551.exe	34
PID 2632 wrote to memory of 2140	2632	1431842551.exe	34
PID 2632 wrote to memory of 2140	2632	1431842551.exe	34
PID 2632 wrote to memory of 2140	2632	1431842551.exe	34
PID 2632 wrote to memory of 2868	2632	1431842551.exe	36
PID 2632 wrote to memory of 2868	2632	1431842551.exe	36
PID 2632 wrote to memory of 2868	2632	1431842551.exe	36
PID 2632 wrote to memory of 2868	2632	1431842551.exe	36
PID 2632 wrote to memory of 1488	2632	1431842551.exe	38
PID 2632 wrote to memory of 1488	2632	1431842551.exe	38
PID 2632 wrote to memory of 1488	2632	1431842551.exe	38
PID 2632 wrote to memory of 1488	2632	1431842551.exe	38
PID 2632 wrote to memory of 2572	2632	1431842551.exe	40
PID 2632 wrote to memory of 2572	2632	1431842551.exe	40
PID 2632 wrote to memory of 2572	2632	1431842551.exe	40
PID 2632 wrote to memory of 2572	2632	1431842551.exe	40

C:\Users\Admin\AppData\Local\Temp\2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c4f87d2db814b7e96d04c7c62ef2261_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\1431842551.exe
  C:\Users\Admin\AppData\Local\Temp\1431842551.exe 4*6*3*6*1*4*2*6*6*6*5 K0pGPjwvLiwsGipPTz9KSEA7KhopSUFOVElRR0c+NyobKz5GTVNFQjcsMS0zLB0pQkVCNyoaKkxMTD5UP1JZQz44LTA2Lh8rUT9MUEBOWVJMSzlmbm5qNSspcGx1KkI/TUUoUElNJ0BMTihDSEFLGiw9S0VBRUM+OHNBLUJSNFIrMUVQRUhKM0pDQjJNRVBBMh0pQy07KysqKzEaLD4xOSsrGik/LzcqKx8rQi43JywcKUEvPCkvGilKTUs+Uj1TW05MQ1A8P1M6Gi5MUEk+Tz5QWUJPSz07GilKTUs+Uj1TW0w7Rz84HClCUkRbU0xGNxsrP1U/Xj9LPkZDSUE3HSlHS1FOWTxNS1FQP1E5LhopTkM9SEhTTlFdT0xGOBwpU0c8Lh4pPk0sORosTFRKUkNHP1pTP0k9TklDQ0c7QkFPT0Y8HC1DTVlNUUhRQ0xBO25sb2AcKU8/U1FQSENIQltPUD9RW0I7U004LhosQkhAQ1I3KxsrQ1BZQ1VMO0dDPls/Sz1RVU5OPz44YltpbWQcLT5JUUlIST4+XkVONzAwKS0qLyg3Ki8tLhoqUENKPzwtMi0rMi8xLy4uHytCSVFIR0s7QVlTRUs/Ny8qLTEsLC8tMyQwNDAtNDIuKT1LGilPPDlHbHRoaGpbHyxhMSgtJSdTZ2heaXJvJUtOKjIsKx8tXSdOb2NjYWxuHyxhMygtHzJeKWxwHy5dKy4oLyExXCVBTz4xKy8oJ2pjZV8mQ19gZW4cLU9MRjhkbnFqJC9fHyxgIC5gZF9zLSwqKyssYF9wY2ZqLGNoYGohLGNMdGpSY2dfP2txa2ZuXWJHW2hcY19vWWNhbmZpcyAuYC4uMi02Li8vLDIfL2Bja3VoZmlcYGdeaGBjY2wfLGEtLjArNzAzLyswIC9gMjMyMy8zLC4uMTJWZnd0UT5TbEtTcTNGaGNyRU1IX0w9aCtLZk9uQmdeLEZmMjNHd0xrSWRvX1VzZjJJZDtoR2Y/Z1J4azJEPS5hVXNsMUpPMmJSPTMsRWZpa1N4Ry9FZHNfVlFBbFZnK1NcLj8zXGstdFxBKmFVZ0toVy5mZVI+Y3FMQGZHT2hUS0ZlRj5SP0FIUGRiPU1ROy5OakpPSj5PYV1AbW5gZm1u
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715298684.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715298684.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715298684.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715298684.txt bios get version
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715298684.txt bios get version
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431842551.exe

Filesize
788KB

MD5
f064678b83ee6fb859744275b9e5f51b

SHA1
66166c3418f7c49a9b999417fd837c3ece1b9d47

SHA256
14dd610f549a06e1317e730af2bd6eb6c434ecff0855570b3540dca820a348cc

SHA512
f085002b5128227099861b1cba5048e3fa59c20a6dc62ef4e0c88d3b56e8cb7184373788069c11e303041e6cf1ada761c5f8f3807a1c819fcd688dff04acd196

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715298684.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1B2F.tmp\nraigbw.dll

Filesize
153KB

MD5
fbc2f25eece1f6307c2988c4e34d2e30

SHA1
a1bf3b628c671cbb1528122e554086e851ff8073

SHA256
01ac6332290592c8d229fb2a650c7ce6fde6a3fe40025045adafb76b718cf140

SHA512
d54f8f2bcf2183c448e336543a592f318b91cd8563a2fee436d451d82640fec1fe0927a807e505664c31b3502766cb71bc7628fa6a0b351fb271b1fa13f2909e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1B2F.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit