a0323863e9d03e122628807b8345fb445787a88b4d333058c573349f2d8b918a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe
Size

339KB
MD5

41448ceaa00d1a49a6d100f8652ad19b
SHA1

8956bd0de96414c931db917a8afe4d401588662c
SHA256

a0323863e9d03e122628807b8345fb445787a88b4d333058c573349f2d8b918a
SHA512

1556b45fa484f87046f692f9a3e10daa514f56a97074d2dc1769218a615a485ab35025ee763a888401ef5363fa5b2253aa0858544ac083daf68f43033783e897
SSDEEP

6144:uFJ0tXFlH8nYZCRCFVKtP6c/TFY1ltb4uyy7NBP:3VlHf5LWH2n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	beeifhfddh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	2176	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4500	wmic.exe
Token: SeSecurityPrivilege	4500	wmic.exe
Token: SeTakeOwnershipPrivilege	4500	wmic.exe
Token: SeLoadDriverPrivilege	4500	wmic.exe
Token: SeSystemProfilePrivilege	4500	wmic.exe
Token: SeSystemtimePrivilege	4500	wmic.exe
Token: SeProfSingleProcessPrivilege	4500	wmic.exe
Token: SeIncBasePriorityPrivilege	4500	wmic.exe
Token: SeCreatePagefilePrivilege	4500	wmic.exe
Token: SeBackupPrivilege	4500	wmic.exe
Token: SeRestorePrivilege	4500	wmic.exe
Token: SeShutdownPrivilege	4500	wmic.exe
Token: SeDebugPrivilege	4500	wmic.exe
Token: SeSystemEnvironmentPrivilege	4500	wmic.exe
Token: SeRemoteShutdownPrivilege	4500	wmic.exe
Token: SeUndockPrivilege	4500	wmic.exe
Token: SeManageVolumePrivilege	4500	wmic.exe
Token: 33	4500	wmic.exe
Token: 34	4500	wmic.exe
Token: 35	4500	wmic.exe
Token: 36	4500	wmic.exe
Token: SeIncreaseQuotaPrivilege	4500	wmic.exe
Token: SeSecurityPrivilege	4500	wmic.exe
Token: SeTakeOwnershipPrivilege	4500	wmic.exe
Token: SeLoadDriverPrivilege	4500	wmic.exe
Token: SeSystemProfilePrivilege	4500	wmic.exe
Token: SeSystemtimePrivilege	4500	wmic.exe
Token: SeProfSingleProcessPrivilege	4500	wmic.exe
Token: SeIncBasePriorityPrivilege	4500	wmic.exe
Token: SeCreatePagefilePrivilege	4500	wmic.exe
Token: SeBackupPrivilege	4500	wmic.exe
Token: SeRestorePrivilege	4500	wmic.exe
Token: SeShutdownPrivilege	4500	wmic.exe
Token: SeDebugPrivilege	4500	wmic.exe
Token: SeSystemEnvironmentPrivilege	4500	wmic.exe
Token: SeRemoteShutdownPrivilege	4500	wmic.exe
Token: SeUndockPrivilege	4500	wmic.exe
Token: SeManageVolumePrivilege	4500	wmic.exe
Token: 33	4500	wmic.exe
Token: 34	4500	wmic.exe
Token: 35	4500	wmic.exe
Token: 36	4500	wmic.exe
Token: SeIncreaseQuotaPrivilege	4636	wmic.exe
Token: SeSecurityPrivilege	4636	wmic.exe
Token: SeTakeOwnershipPrivilege	4636	wmic.exe
Token: SeLoadDriverPrivilege	4636	wmic.exe
Token: SeSystemProfilePrivilege	4636	wmic.exe
Token: SeSystemtimePrivilege	4636	wmic.exe
Token: SeProfSingleProcessPrivilege	4636	wmic.exe
Token: SeIncBasePriorityPrivilege	4636	wmic.exe
Token: SeCreatePagefilePrivilege	4636	wmic.exe
Token: SeBackupPrivilege	4636	wmic.exe
Token: SeRestorePrivilege	4636	wmic.exe
Token: SeShutdownPrivilege	4636	wmic.exe
Token: SeDebugPrivilege	4636	wmic.exe
Token: SeSystemEnvironmentPrivilege	4636	wmic.exe
Token: SeRemoteShutdownPrivilege	4636	wmic.exe
Token: SeUndockPrivilege	4636	wmic.exe
Token: SeManageVolumePrivilege	4636	wmic.exe
Token: 33	4636	wmic.exe
Token: 34	4636	wmic.exe
Token: 35	4636	wmic.exe
Token: 36	4636	wmic.exe
Token: SeIncreaseQuotaPrivilege	4636	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2176	840	41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe	81
PID 840 wrote to memory of 2176	840	41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe	81
PID 840 wrote to memory of 2176	840	41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe	81
PID 2176 wrote to memory of 4500	2176	beeifhfddh.exe	82
PID 2176 wrote to memory of 4500	2176	beeifhfddh.exe	82
PID 2176 wrote to memory of 4500	2176	beeifhfddh.exe	82
PID 2176 wrote to memory of 4636	2176	beeifhfddh.exe	86
PID 2176 wrote to memory of 4636	2176	beeifhfddh.exe	86
PID 2176 wrote to memory of 4636	2176	beeifhfddh.exe	86
PID 2176 wrote to memory of 2732	2176	beeifhfddh.exe	89
PID 2176 wrote to memory of 2732	2176	beeifhfddh.exe	89
PID 2176 wrote to memory of 2732	2176	beeifhfddh.exe	89
PID 2176 wrote to memory of 1148	2176	beeifhfddh.exe	92
PID 2176 wrote to memory of 1148	2176	beeifhfddh.exe	92
PID 2176 wrote to memory of 1148	2176	beeifhfddh.exe	92
PID 2176 wrote to memory of 2036	2176	beeifhfddh.exe	94
PID 2176 wrote to memory of 2036	2176	beeifhfddh.exe	94
PID 2176 wrote to memory of 2036	2176	beeifhfddh.exe	94

C:\Users\Admin\AppData\Local\Temp\41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41448ceaa00d1a49a6d100f8652ad19b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\beeifhfddh.exe
  C:\Users\Admin\AppData\Local\Temp\beeifhfddh.exe 0)1)8)1)2)9)0)3)5)3)7 L09BQzspMzAtNBkvUk1BTkBEOisdKE5ETFZNSUtGPzoqIC48SFFLSUE4LzI3NSgfLTpJQTgtGS9PSk5CTENRWkY9PTExLy4nICxOQktWREpeU0lMOmNxbXA5Jy5xaXYrP0JMSyxMTk4kQU1LK0JORUcfLTpMRj5IQkQ8aUNUSlpPMmg+dXklaFZBNkRPdTJiWVw3bTlEMUFzLEhQWkRKQGZfLEJBcTZdTGhWRnFKYms3UHA3dWVLKitTOlNWLVcyKTBJWmlcYXVaYk8pZWNVNSZadV5FSzp0QWhXLW9sXlFnREJELm9OZTFpRnRMeEtAHShEMDUsLxcvQS06JjEfJ0MxNC0uGyw9NDwlMB4mRDI4KiogLkhRTTtVQE9cSVJITkBBUD0dKk1LT0NNQlJWRVJHPjYgLkhRTTtVQE9cR0FMPTxHO00dKkJRRV5NUUo0JHhQT0V9HydEVjxfQEhBRUlNPTweJkhMTlFYQlFHVlE8UjowHShURzlNSVBPUlpSS0w8YHNyZzosKl5cbGhbaixYZGVqYCoubV1zLWt1THI1RTZCQ3h4ZlVNUlAvaG5mOGs2dHE4Lx92YGowOx12Xm0vNiZ1WXExNDIwLy8yJk87U1Y0Jmo4Rj1NHydVSzQyHSpBTDE8KjIyKTkdKk9OTlNBTENWV0JHQEhNREFMPz5FUk1JNiAuQVJdSVVLT0ZGRTxscXNcICxNQk1VUUZITD5fUk5CS19DOVhRNDIdKkVCRERQPC8XL0ZOXD1ZTTlMRzpfQklAS1lPTERCNGZeZ3BeIC48TlVFTEw8QVhJTzUxLi8uLiwtJzkyJjAwKSAsSz5LQUtEREpWSUtOUTpMSzVzcGxlHSpRQk1ENTAyKzgyMzApOTcYLkJGV0tHTDpEXkxISzw9LiwsKzcuKi8vLCouLTcqMTkrNyg4TQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715684766.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715684766.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715684766.txt bios get version
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715684766.txt bios get version
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715684766.txt bios get version
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 852
    3⤵
    - Program crash
    PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2176 -ip 2176
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81715684766.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715684766.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715684766.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeifhfddh.exe

Filesize
538KB

MD5
daab8fd0790a41da70e38682205f5c2f

SHA1
3f24400bc7b1c4c7046b428987e2117f8a915da8

SHA256
35f19d864ade6ddcb778134e77601e7b048a300e3ee21518e5266566b1073ccf

SHA512
223d62b65a84ed9903a92c09a4aaf5fdf1fb9c8af2fcc77737200f9a2ac8520dd8f11ea6bf19b0a7e3c5f5b7d74b85ea9c0a40cd110e751cfe54e0522e387e95

Download Submit