9ce3e661d972a0b3ecf05fa66ab0a897b023375b2df43c3c02e91c62ee684040

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe
Size

339KB
MD5

2884af879e11ebdbb3e7d9a746b5d7c0
SHA1

adb399579e672bb4372ed47647e94155421a0738
SHA256

9ce3e661d972a0b3ecf05fa66ab0a897b023375b2df43c3c02e91c62ee684040
SHA512

56dab947b320f2a6f5900a7e94fe791e9ad81f3a8376cbad85bda0976a87ab41b9593630678e3fd8a01d7e575a0e9be16cbf4a47583b891be038d64c27475376
SSDEEP

6144:xFJ0twG4I6uXTXzNTmX1T8MMKll+DuCcjEFFBe1arWlyq9RS3PB/4Fmzb:0yI6uDjCNMK3SFB+0Qe3PR4Fmzb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1272	beeijecfdi.exe

Loads dropped DLL 5 IoCs

pid	Process
2168	2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	1272	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemProfilePrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeProfSingleProcessPrivilege	2080	wmic.exe
Token: SeIncBasePriorityPrivilege	2080	wmic.exe
Token: SeCreatePagefilePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeDebugPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeRemoteShutdownPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: 33	2080	wmic.exe
Token: 34	2080	wmic.exe
Token: 35	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2604	wmic.exe
Token: SeSecurityPrivilege	2604	wmic.exe
Token: SeTakeOwnershipPrivilege	2604	wmic.exe
Token: SeLoadDriverPrivilege	2604	wmic.exe
Token: SeSystemProfilePrivilege	2604	wmic.exe
Token: SeSystemtimePrivilege	2604	wmic.exe
Token: SeProfSingleProcessPrivilege	2604	wmic.exe
Token: SeIncBasePriorityPrivilege	2604	wmic.exe
Token: SeCreatePagefilePrivilege	2604	wmic.exe
Token: SeBackupPrivilege	2604	wmic.exe
Token: SeRestorePrivilege	2604	wmic.exe
Token: SeShutdownPrivilege	2604	wmic.exe
Token: SeDebugPrivilege	2604	wmic.exe
Token: SeSystemEnvironmentPrivilege	2604	wmic.exe
Token: SeRemoteShutdownPrivilege	2604	wmic.exe
Token: SeUndockPrivilege	2604	wmic.exe
Token: SeManageVolumePrivilege	2604	wmic.exe
Token: 33	2604	wmic.exe
Token: 34	2604	wmic.exe
Token: 35	2604	wmic.exe
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1272	2168	2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1272	2168	2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1272	2168	2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe	28
PID 2168 wrote to memory of 1272	2168	2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe	28
PID 1272 wrote to memory of 2080	1272	beeijecfdi.exe	29
PID 1272 wrote to memory of 2080	1272	beeijecfdi.exe	29
PID 1272 wrote to memory of 2080	1272	beeijecfdi.exe	29
PID 1272 wrote to memory of 2080	1272	beeijecfdi.exe	29
PID 1272 wrote to memory of 2604	1272	beeijecfdi.exe	32
PID 1272 wrote to memory of 2604	1272	beeijecfdi.exe	32
PID 1272 wrote to memory of 2604	1272	beeijecfdi.exe	32
PID 1272 wrote to memory of 2604	1272	beeijecfdi.exe	32
PID 1272 wrote to memory of 2520	1272	beeijecfdi.exe	34
PID 1272 wrote to memory of 2520	1272	beeijecfdi.exe	34
PID 1272 wrote to memory of 2520	1272	beeijecfdi.exe	34
PID 1272 wrote to memory of 2520	1272	beeijecfdi.exe	34
PID 1272 wrote to memory of 2664	1272	beeijecfdi.exe	36
PID 1272 wrote to memory of 2664	1272	beeijecfdi.exe	36
PID 1272 wrote to memory of 2664	1272	beeijecfdi.exe	36
PID 1272 wrote to memory of 2664	1272	beeijecfdi.exe	36
PID 1272 wrote to memory of 2580	1272	beeijecfdi.exe	38
PID 1272 wrote to memory of 2580	1272	beeijecfdi.exe	38
PID 1272 wrote to memory of 2580	1272	beeijecfdi.exe	38
PID 1272 wrote to memory of 2580	1272	beeijecfdi.exe	38
PID 1272 wrote to memory of 2396	1272	beeijecfdi.exe	40
PID 1272 wrote to memory of 2396	1272	beeijecfdi.exe	40
PID 1272 wrote to memory of 2396	1272	beeijecfdi.exe	40
PID 1272 wrote to memory of 2396	1272	beeijecfdi.exe	40

C:\Users\Admin\AppData\Local\Temp\2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2884af879e11ebdbb3e7d9a746b5d7c0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\beeijecfdi.exe
  C:\Users\Admin\AppData\Local\Temp\beeijecfdi.exe 7/7/0/4/2/6/4/6/8/6/3 KElJQDssLy0qMR0oTFU+TkNANygaLEc+VFNNTEdDPDcuGShERVFORT41LDYwLzAcLT1FPjUqHShJUktCTz9OV0NBNis5LC4qHClLP09PPlJbU0xIN2BucWkzLytxbHIoPD9QRCZUS04nPUpIKEZHP08cLT1IQztFRj02VGRLSV9HbCxPSDBtRV9ZSlBDPmoxJkItRExKZTFSdURSVGdERmFAS0xuTipGL0AxSE1rS3JKUVpEVFRBQS9dLSlIUl80XFMqKG82RGNiM0tRY0tMZ2NIbWlNNkRrXl07MCY7VmIuM00tbypcMCw4X19mdEhbGiw9Kj0pLxorPio3KioZL0AxNykrGClBLTYtLR4pQC81Jy4ZKFBOTT5RPUxZTUtCVj1BUzkaJ0pPSD1VP1JZQU9EOzoZKFBOTT5RPUxZSzpGRTlBYl1jZj1la2huZWFmYVkpKDAnKS5dbmUcKT1SQlhOUkg7HndPSkZ6GShFVENZP0c8RkZHPj0cLUJLTUxZP0tIV09DTDkvGClRQTpOR1dJUVlNTEk2YXRwbjQrKVldaWJcaypfXmRpWysrZ150K3JvS3EwRjM8RHl2bU9MUUswZWhnOWk9bnA3KiBzWmsxOSRwXWwqNyNvWnIvOywwLTEzI0k8VFQ7IGk3O2JeYmdDZHBpamNbZmJYKi4vLCoqW2hlHShPTTkwGis+Sys6Ky0zNTcaK0xNSFFCRkVbVT9IPUdHQkJGQUNDT05GNRosQkxfTlNIUENFPzpta3VhHilOP0xPT0dCTkNdT08/SllBOlJTOTAaK0JBPkJRNjEcLUNPWTxTSzpGST9dP0o9SlNNTT5EOWRbaG1dGiw9SFdKSkk9PldDTTYrMDQsKy0qJjMwJyoyLh4pTDtKO0lFPkxbR0hPTjlGSTZtcnFjGitOQUdCNio0MDYzMSouKy8ZKERLVUhISTk+XE1CTUE7Ky4pKSkvKSo1JjQ0LTAyLy8jOk0=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715232954.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715232954.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715232954.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715232954.txt bios get version
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715232954.txt bios get version
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81715232954.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeijecfdi.exe

Filesize
538KB

MD5
6326fd9b2068ba9f7d236ae38c42986e

SHA1
4e930cb47934a73b7b45c01e9a9280f34e4b1ee7

SHA256
baa4b9f6534757b98d9a0a35cce2d92d9a8cb898832c47ee70222549622ee1e8

SHA512
515d62fec8c76b941d0b44fb52fd7dc241810fb537139b600411527b9882116717c171457ae0d3fe7ee1096265f69fac6a483b1b65d341c405f411be1888597d

Download Submit