2007061916a14fa35310aacae0c6e310a6e14278cc8d12f108d3b7c0b865b320

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
Size

695KB
MD5

4696e8db4f8af37a9033006e7e84a84c
SHA1

3d7723956971b567e6565b214c3b33e5fe6fbf2b
SHA256

2007061916a14fa35310aacae0c6e310a6e14278cc8d12f108d3b7c0b865b320
SHA512

cfdd22d988fb2db2808a1c596c1bdc5a224046081e50efa69e4ab97958dbad7ad631b5c1e1d965cd6476d5594d3e30c4a1bb6d92b7ee32af86f67bcd1ca81280
SSDEEP

12288:FlMm/+sdtPptchjZdqdMHsT8PtnNpF0d1lPOB/ajKrtpnHVwb1DAI3nFo:FlMm/+0txt/dML9J0i/ajQ1I1cI1o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	1432288882.exe

Loads dropped DLL 11 IoCs

pid	Process
2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2516	2112	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	2956	wmic.exe
Token: SeSecurityPrivilege	2956	wmic.exe
Token: SeTakeOwnershipPrivilege	2956	wmic.exe
Token: SeLoadDriverPrivilege	2956	wmic.exe
Token: SeSystemProfilePrivilege	2956	wmic.exe
Token: SeSystemtimePrivilege	2956	wmic.exe
Token: SeProfSingleProcessPrivilege	2956	wmic.exe
Token: SeIncBasePriorityPrivilege	2956	wmic.exe
Token: SeCreatePagefilePrivilege	2956	wmic.exe
Token: SeBackupPrivilege	2956	wmic.exe
Token: SeRestorePrivilege	2956	wmic.exe
Token: SeShutdownPrivilege	2956	wmic.exe
Token: SeDebugPrivilege	2956	wmic.exe
Token: SeSystemEnvironmentPrivilege	2956	wmic.exe
Token: SeRemoteShutdownPrivilege	2956	wmic.exe
Token: SeUndockPrivilege	2956	wmic.exe
Token: SeManageVolumePrivilege	2956	wmic.exe
Token: 33	2956	wmic.exe
Token: 34	2956	wmic.exe
Token: 35	2956	wmic.exe
Token: SeIncreaseQuotaPrivilege	2752	wmic.exe
Token: SeSecurityPrivilege	2752	wmic.exe
Token: SeTakeOwnershipPrivilege	2752	wmic.exe
Token: SeLoadDriverPrivilege	2752	wmic.exe
Token: SeSystemProfilePrivilege	2752	wmic.exe
Token: SeSystemtimePrivilege	2752	wmic.exe
Token: SeProfSingleProcessPrivilege	2752	wmic.exe
Token: SeIncBasePriorityPrivilege	2752	wmic.exe
Token: SeCreatePagefilePrivilege	2752	wmic.exe
Token: SeBackupPrivilege	2752	wmic.exe
Token: SeRestorePrivilege	2752	wmic.exe
Token: SeShutdownPrivilege	2752	wmic.exe
Token: SeDebugPrivilege	2752	wmic.exe
Token: SeSystemEnvironmentPrivilege	2752	wmic.exe
Token: SeRemoteShutdownPrivilege	2752	wmic.exe
Token: SeUndockPrivilege	2752	wmic.exe
Token: SeManageVolumePrivilege	2752	wmic.exe
Token: 33	2752	wmic.exe
Token: 34	2752	wmic.exe
Token: 35	2752	wmic.exe
Token: SeIncreaseQuotaPrivilege	2652	wmic.exe
Token: SeSecurityPrivilege	2652	wmic.exe
Token: SeTakeOwnershipPrivilege	2652	wmic.exe
Token: SeLoadDriverPrivilege	2652	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2112	2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2112	2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2112	2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2112	2068	4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2956	2112	1432288882.exe	29
PID 2112 wrote to memory of 2956	2112	1432288882.exe	29
PID 2112 wrote to memory of 2956	2112	1432288882.exe	29
PID 2112 wrote to memory of 2956	2112	1432288882.exe	29
PID 2112 wrote to memory of 2752	2112	1432288882.exe	32
PID 2112 wrote to memory of 2752	2112	1432288882.exe	32
PID 2112 wrote to memory of 2752	2112	1432288882.exe	32
PID 2112 wrote to memory of 2752	2112	1432288882.exe	32
PID 2112 wrote to memory of 2652	2112	1432288882.exe	34
PID 2112 wrote to memory of 2652	2112	1432288882.exe	34
PID 2112 wrote to memory of 2652	2112	1432288882.exe	34
PID 2112 wrote to memory of 2652	2112	1432288882.exe	34
PID 2112 wrote to memory of 2756	2112	1432288882.exe	36
PID 2112 wrote to memory of 2756	2112	1432288882.exe	36
PID 2112 wrote to memory of 2756	2112	1432288882.exe	36
PID 2112 wrote to memory of 2756	2112	1432288882.exe	36
PID 2112 wrote to memory of 1956	2112	1432288882.exe	38
PID 2112 wrote to memory of 1956	2112	1432288882.exe	38
PID 2112 wrote to memory of 1956	2112	1432288882.exe	38
PID 2112 wrote to memory of 1956	2112	1432288882.exe	38
PID 2112 wrote to memory of 2516	2112	1432288882.exe	40
PID 2112 wrote to memory of 2516	2112	1432288882.exe	40
PID 2112 wrote to memory of 2516	2112	1432288882.exe	40
PID 2112 wrote to memory of 2516	2112	1432288882.exe	40

C:\Users\Admin\AppData\Local\Temp\4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4696e8db4f8af37a9033006e7e84a84c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\1432288882.exe
  C:\Users\Admin\AppData\Local\Temp\1432288882.exe 3/7/0/4/7/1/9/6/3/0/9 LElJQDY1KjIdL0pSO1BFPTwnGixOPFFQT05ESDs3LiAmQUJTUEJDNC8xNBcsPElANi8XKU1SRkFOQ1BYSDs3MTYoHShTQUtVPExcVUlJNmhwbW8xKSxzaXMnREFMSiROTFAkPklQKkJNPUkdLzpJQkNHQkM0GixEKDotMi0qNSkrHS87LzYxMSk0FylBMzQqKiArPTM0Jy4gJkEuPSkqHyZKT087UjxUW0lRQFA+Q1A6GS9MS047T0BUVkJOTD02HyZKT087UjxUW0dARD86QzppXmFqXnEcLC01JS0sJS4pYWxjaWQcLyk1LSs3HCwtYmxwYm4cKERPP1xVSUk2ICs+VzxZQE07SUJOQTYfJkJMU0tcO1JLUFI8TDowFyxNSD1HSlBJUl9MT0U9HChVRDcvICZBTDE5GS5JT0tUQEo+X1M+SzpJSkVASjpHQU5RQzcdL0BQWFJRR1NAR0I9a29uZRwoUTxOUlJFRkdHW05SPExcRDhWTD0uGS4/Q0FFTzoqICtCUlY+Vk44SkJDWz5NOkxWUEtCPT1iWmtqXx0vO0xQTkhIQDtZRlA0NS0uLTA2JSwyLigzMiArTUhEPzoxKzArMjUuMCstHS87TFBOSEhAO1lRSURCNjUrKzEmLC0xLCcqMTYtNDEuMCo4ShkvUTo8RGl3aWNpWiUuXzMlKigoWmxmcF1taFlmYiUqXyRNT0JEIjArMBwwWytTYm1baXRzIktNKzEnMBwtXytKUyolL1sqJUhCVCJARVInKy0nKDIwLi8wKRwoVElGOmhrcWklL1okKWAiMl1kXnQtJy8oKy5kXHBiZ2onaGVgbCUpY0t1ak1oZF9Bb25rZW9dXUxYaF5nXG9YZGFpa2ZzIjJdLi0zLis4LCsyMBwvX2RrcG1jaV5kZF5nYWNecRwsYzErMCsyNS4wLCoiM101LzMsMTgvMzA0LlUqOXRGUzgsXkRId0V6QV5XYWkuTDpwXll2aHZDc2hnWHcpcERQZ2dcREJsVCs1blJWTV1LV2dmXGwxZmM+VHRIY3BpTkA+dEJjaHdDdz5lU3JuJ0ZnRWdJTEJkXlZRU1dXOWRabGxlV3FqQU8pS11XQ21nWHItc0RnQm9IPFhlR0BFaUlMd3BSbChhV0ZqZkVpMGpKYUN1S2A1XUtQQnRCUG12WkRlbURQRVhcRG8pSEo=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715783185.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715783185.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715783185.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715783185.txt bios get version
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715783185.txt bios get version
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81715783185.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1432288882.exe

Filesize
1021KB

MD5
aa7a7e38f647e706f5b52a5c48d92b3d

SHA1
fdf831f61f24b3569a2e7b5a5051cd9b22d067d1

SHA256
252a2f149f27639b842ae9dd01722d6c52dd22db434cc7896c2001257dbdc499

SHA512
c60e284b78ffb018c30c4f6868c1f85d6571aa7b226f630d6d92fd1eaf5b54ee425ef1d82f79112dc9d8d74fd45ac34e20eb7d552fb98ae6e2abdf3af2c202b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy165F.tmp\loasdns.dll

Filesize
158KB

MD5
78f8ef43927ce34ee11d03bdc99c615f

SHA1
808f38fd71070ff2fbc3f365ce796a9497486d1f

SHA256
b79b5641fcb66d785a2bbd6342c75c00f5099ae20691cd063258a2848a24efe2

SHA512
9807ddfede0b8673692bb1160da5362d268e27294706af90fc7b05c48dc51a720fcb77a72ab891b4affb8baa1ad21fd452c99d2a1de1ce91c6ca5fe6aa14af6c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy165F.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit