24da2339b68bacaa5de1a6227177ae2ff5e85481b0c574aa4a9f281eec8b43f2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
Size

581KB
MD5

35a7cc4e7da09aa1a0fdd628772eeb81
SHA1

f0cc200b2f2b219ae2f0f71373412e08645574df
SHA256

24da2339b68bacaa5de1a6227177ae2ff5e85481b0c574aa4a9f281eec8b43f2
SHA512

e536f1a01958a5dd8395a552750d405e3adaaad808788bb1d87f139a68e75c88cd1ae3eac5003ec00a00045b4fd19ddedd21bf33954a31c48fdb406f547c3a5d
SSDEEP

12288:tU4hUnM8rC6ibkVAw9gPdR0YaFYponURzneJOYLT5go9Glo:tU4hmjrebk29PdR0Kponczne4W5D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	1431820951.exe

Loads dropped DLL 11 IoCs

pid	Process
1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1740	2192	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2744	wmic.exe
Token: SeSecurityPrivilege	2744	wmic.exe
Token: SeTakeOwnershipPrivilege	2744	wmic.exe
Token: SeLoadDriverPrivilege	2744	wmic.exe
Token: SeSystemProfilePrivilege	2744	wmic.exe
Token: SeSystemtimePrivilege	2744	wmic.exe
Token: SeProfSingleProcessPrivilege	2744	wmic.exe
Token: SeIncBasePriorityPrivilege	2744	wmic.exe
Token: SeCreatePagefilePrivilege	2744	wmic.exe
Token: SeBackupPrivilege	2744	wmic.exe
Token: SeRestorePrivilege	2744	wmic.exe
Token: SeShutdownPrivilege	2744	wmic.exe
Token: SeDebugPrivilege	2744	wmic.exe
Token: SeSystemEnvironmentPrivilege	2744	wmic.exe
Token: SeRemoteShutdownPrivilege	2744	wmic.exe
Token: SeUndockPrivilege	2744	wmic.exe
Token: SeManageVolumePrivilege	2744	wmic.exe
Token: 33	2744	wmic.exe
Token: 34	2744	wmic.exe
Token: 35	2744	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2192	1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2192	1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2192	1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2192	1728	35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2600	2192	1431820951.exe	29
PID 2192 wrote to memory of 2600	2192	1431820951.exe	29
PID 2192 wrote to memory of 2600	2192	1431820951.exe	29
PID 2192 wrote to memory of 2600	2192	1431820951.exe	29
PID 2192 wrote to memory of 2744	2192	1431820951.exe	32
PID 2192 wrote to memory of 2744	2192	1431820951.exe	32
PID 2192 wrote to memory of 2744	2192	1431820951.exe	32
PID 2192 wrote to memory of 2744	2192	1431820951.exe	32
PID 2192 wrote to memory of 2700	2192	1431820951.exe	34
PID 2192 wrote to memory of 2700	2192	1431820951.exe	34
PID 2192 wrote to memory of 2700	2192	1431820951.exe	34
PID 2192 wrote to memory of 2700	2192	1431820951.exe	34
PID 2192 wrote to memory of 2388	2192	1431820951.exe	36
PID 2192 wrote to memory of 2388	2192	1431820951.exe	36
PID 2192 wrote to memory of 2388	2192	1431820951.exe	36
PID 2192 wrote to memory of 2388	2192	1431820951.exe	36
PID 2192 wrote to memory of 2320	2192	1431820951.exe	38
PID 2192 wrote to memory of 2320	2192	1431820951.exe	38
PID 2192 wrote to memory of 2320	2192	1431820951.exe	38
PID 2192 wrote to memory of 2320	2192	1431820951.exe	38
PID 2192 wrote to memory of 1740	2192	1431820951.exe	40
PID 2192 wrote to memory of 1740	2192	1431820951.exe	40
PID 2192 wrote to memory of 1740	2192	1431820951.exe	40
PID 2192 wrote to memory of 1740	2192	1431820951.exe	40

C:\Users\Admin\AppData\Local\Temp\35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35a7cc4e7da09aa1a0fdd628772eeb81_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\1431820951.exe
  C:\Users\Admin\AppData\Local\Temp\1431820951.exe 9|8|3|1|7|4|8|1|2|3|9 JkhGQzYvKDEwHSZKTT9PQkA1Lx4sRTxMVE5LR0FDOy0XJjxGUk1FPDwwNCkuKh0uPEU8PC4dJkdKTENOP0xeR0E0KC42MxkrS0RQUzxJV1JRRTlgc3JtMSYncHFvKjxEUUgkS0dNLDpMSC1HSz1GGCxCRUU7SkdBNG5DSU1LMEMzQS1JTUZGOERDOzdBQUcoTh0uPS01MC8tJywYLEMrOSUwHiw7KjUqMBkrPDM7KigXJ0E0NikpHy1NSUY8UkJNW0hRR1M4OlE6HyhMSk5CUjpLV0JURT01Hy1NSUY8UkJNW0ZAS0I0FydCVz5bTVFKOhcmPVVEWD9FQ0pGRTw1HS5BS0tTXT9JRk9QREs5KB8tUT84RkhYSFFXVFBJNBcnU0w2LhguQlAoNBgsUU5KTEhLQlZOPUlCSEk9SEs+PjxNT0s2HCdIUVxJTEZRSEZBNXNwclwXJ09ETVFKTUdLPlZNUERLWzxAV1A0KRgsR0JAPVc7LhcmQVBePVVGQEtGOlY9S0JLVUhTQ0E0XVlpcl4cJ0NNVEVDRz5DWEVIPDQzJSksNi0xLyYwNDMXJkxGTD45KTMxLi8qKTA1LxwnQ01URUNHPkNYUEFMQzosJik0LissKTQoLzEsLjcvLyY5TB4sTDg1Sm5zZWRrXyIpXS0rLyQkT2hsYWZuayhNTScuLS8iKlkjVE5QMiwkMV8iS2pmY15qbCQwYy4lKCIyWydqdSMwWCgpKy8iJ2RoaWIiPl1gamgcJ1RQSTRfbHFvHi9ZJDBjHCleZGRtLSYvLy4oW11waGBqJmhsY2YcKmNRbmpMaGtiO2Zva2toXVxMX2tYXl1vXl1haGttdhwpXi4zLC0wMi8wLS0dL2Vda29tamxYW2VebVpjXXEjL10oLDAwMS8pMjQzHCpeLjAvMiw2NC8wLCpXbEtxS1NLcUZOLC1LYjBwTFE/XEZLcHdGPyxzSERqL0N3QCpIS0FxSzpqY1Z5Oi9DeC5tQmFFYVdzPTBLQXBeUDt0MkR1X2dXZ0QvQnZyYlRLNzVHOm5jV1ZhaVAxbl5RKUUtYWZKcmNFbF5PKlNpUlNCaldnbylKUllET3E0SEhxK21SVU9FSXlUQkhMPXNPZEZITEQ+XlFOdW9bQElz
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715447336.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715447336.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715447336.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715447336.txt bios get version
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715447336.txt bios get version
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
448KB

MD5
5c3be8ac6e397f035bff57b6c4120623

SHA1
105570b9c938a281086bfda0beaefcc92c55bd29

SHA256
fae9cefea6df73415073b9bfd3582dfbf27d78a215f1493ea57e55af887d5ad2

SHA512
68c7ac0093b05e5cffe21af1f812c3693bb65c7b73d55f5a8ec64122c821c19a60db69704499fb33e1098beb17bac6b0bc66b5df01c9d1cffff6ee75986f9d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715447336.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD6A.tmp\kaxgcem.dll

Filesize
153KB

MD5
64ffd6dbd03f55408fbc6640317368f0

SHA1
227d86d47d53d5f62a2227e6d2b282519d38005d

SHA256
b8d9b2c53ea62560b03c2ef9f139370380b4c931d1fc02172bc7e1a98e41ffc3

SHA512
ba03c31e00ec24a7bd4e59088feaee3eb389b459cbd041613222f95d9ea1689920127d390d81c2e0000ccf72f67a2043cf81dd324cab3c887003aa93783501c8

Download Submit
\Users\Admin\AppData\Local\Temp\1431820951.exe

Filesize
788KB

MD5
ad1b752c05bd56b0b40a7eb1e0cc877f

SHA1
cac56d3f0e2cb6db3052f0b5eb23d62dc7f8439d

SHA256
69a512cbf83a97951ee3576d83b71442fea4e74d18c4968c1141234b1b3ffb97

SHA512
124f2e6ea3f129e4a88be4fcbf90d3b305cfc19b815558024f4e71101dbebe98b0a43fa11a35db8fb4159007527a1596018ee0c7c67846c1a244cb976505240e

Download Submit
\Users\Admin\AppData\Local\Temp\nstD6A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit