5f9f4050dd7412a9facc183beb3ea7eb40dd10e93d0d4f6b948b52b13bad9820

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6235af97856baeee6043dcba428ed314_JaffaCakes118.exe
Size

489KB
MD5

6235af97856baeee6043dcba428ed314
SHA1

afa5ce5956a27a8a3c8ed7366efed9b9be900923
SHA256

5f9f4050dd7412a9facc183beb3ea7eb40dd10e93d0d4f6b948b52b13bad9820
SHA512

1f8542208d44d91bd614ffce3e9b420a1ba062c425264c28cd39cb90b6dfbcc7f0ee14d47ebd0e13dacfcbd000ab9df44ac0bbb2e5a8c411c3a9f59c12e68fe6
SSDEEP

12288:RMQfhJ7kNO9EoUOPKD3ypHaWIjsDEDsj:R5J7kY9EoUpDipjED

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	befadegfdg_P.exe

Loads dropped DLL 2 IoCs

pid	Process
2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe
2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe
Token: SeIncreaseQuotaPrivilege	2580	wmic.exe
Token: SeSecurityPrivilege	2580	wmic.exe
Token: SeTakeOwnershipPrivilege	2580	wmic.exe
Token: SeLoadDriverPrivilege	2580	wmic.exe
Token: SeSystemProfilePrivilege	2580	wmic.exe
Token: SeSystemtimePrivilege	2580	wmic.exe
Token: SeProfSingleProcessPrivilege	2580	wmic.exe
Token: SeIncBasePriorityPrivilege	2580	wmic.exe
Token: SeCreatePagefilePrivilege	2580	wmic.exe
Token: SeBackupPrivilege	2580	wmic.exe
Token: SeRestorePrivilege	2580	wmic.exe
Token: SeShutdownPrivilege	2580	wmic.exe
Token: SeDebugPrivilege	2580	wmic.exe
Token: SeSystemEnvironmentPrivilege	2580	wmic.exe
Token: SeRemoteShutdownPrivilege	2580	wmic.exe
Token: SeUndockPrivilege	2580	wmic.exe
Token: SeManageVolumePrivilege	2580	wmic.exe
Token: 33	2580	wmic.exe
Token: 34	2580	wmic.exe
Token: 35	2580	wmic.exe
Token: SeIncreaseQuotaPrivilege	2612	wmic.exe
Token: SeSecurityPrivilege	2612	wmic.exe
Token: SeTakeOwnershipPrivilege	2612	wmic.exe
Token: SeLoadDriverPrivilege	2612	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2384	2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2384	2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2384	2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe	28
PID 2740 wrote to memory of 2384	2740	6235af97856baeee6043dcba428ed314_JaffaCakes118.exe	28
PID 2384 wrote to memory of 2736	2384	befadegfdg_P.exe	29
PID 2384 wrote to memory of 2736	2384	befadegfdg_P.exe	29
PID 2384 wrote to memory of 2736	2384	befadegfdg_P.exe	29
PID 2384 wrote to memory of 2736	2384	befadegfdg_P.exe	29
PID 2384 wrote to memory of 2580	2384	befadegfdg_P.exe	32
PID 2384 wrote to memory of 2580	2384	befadegfdg_P.exe	32
PID 2384 wrote to memory of 2580	2384	befadegfdg_P.exe	32
PID 2384 wrote to memory of 2580	2384	befadegfdg_P.exe	32
PID 2384 wrote to memory of 2612	2384	befadegfdg_P.exe	34
PID 2384 wrote to memory of 2612	2384	befadegfdg_P.exe	34
PID 2384 wrote to memory of 2612	2384	befadegfdg_P.exe	34
PID 2384 wrote to memory of 2612	2384	befadegfdg_P.exe	34
PID 2384 wrote to memory of 2472	2384	befadegfdg_P.exe	36
PID 2384 wrote to memory of 2472	2384	befadegfdg_P.exe	36
PID 2384 wrote to memory of 2472	2384	befadegfdg_P.exe	36
PID 2384 wrote to memory of 2472	2384	befadegfdg_P.exe	36
PID 2384 wrote to memory of 2504	2384	befadegfdg_P.exe	38
PID 2384 wrote to memory of 2504	2384	befadegfdg_P.exe	38
PID 2384 wrote to memory of 2504	2384	befadegfdg_P.exe	38
PID 2384 wrote to memory of 2504	2384	befadegfdg_P.exe	38

C:\Users\Admin\AppData\Local\Temp\6235af97856baeee6043dcba428ed314_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6235af97856baeee6043dcba428ed314_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe
  C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe 3|8|6|6|1|5|7|7|7|0|7 LEhDPjwsMjEtMhksS088T0Q9NikgKEs9TlFOTURCPT0qHSc+Q1JPQj02MjIzKSoaLj5CPTYwGSxITElDUDxNWEk9OioyMjUwGShMRUtTPUxZVE1FNmF0bW0yKSlybW8nPUVMSCVOSU8oOklJLkJLPkkaLj5FQjxLQkE1GilDLDYmKiAoQSo3JzAbKD0sPSYuGCk+MzgmKhkvPTI1JysfKklLSEROQExZSlFETzo8WTYdJ0pMTj9OPE1fPlJEOzcfKklLSEROQExZSEBIPjZpcl5zXWhuJC0pa15zbWxqXx8xKy0nKjEeLygfLC8gKylcclpgYxopRFM+WE5SRTpaX21zL2lcJ2NoaidtX3NwaSdeeF4dJz9SRFo8Rj1MQks9NxouQ0hMTV87T0dRTURNNi4ZL01FOUhFWEpOWE5SRToYKVBMOCsZKERMLjUaKVFQR01CTT5cTz9GQkpGPkJNOkQ9T0xLOBkoQlNYT01ITkhIPjZtcm5iGClMRE9OS0dJR0RXT01ETVg9OllMOioaKUdEPT5RPSodJ0NNXj9SRzpNQkBXP0hCTVJJTUU9Ol5bZnJgGSg9T1BLREk7Q1pCSTYyKTUmKysvKTIsJzErLxgpSkBNOkVFRUVcQUhNUzxFRTZ0a3JdGilTREY+NjEtMigvKzErKSoZLz1MT0hGTjw9WE1JRkI1KywuLDIoKzAqMiIyNC8rMykqKjpK
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716277083.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716277083.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716277083.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716277083.txt bios get version
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716277083.txt bios get version
    3⤵
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716277083.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe

Filesize
674KB

MD5
93c3c1d0d5299bb9cefe9e9181a17070

SHA1
77a89de10714fd3862276d65ca4cb440628d81a4

SHA256
fbe70131b58335fc221283fe76ee5ebeef38c677ab97a7a775ec1a8beb32aaa7

SHA512
9e2871266f95a6f96fd92db2f37141f4a39b095922e1a6f482a73fbaaeb653464f4ff0e445ef3aec95e9b1f2437245ff68fd7bc1c5e5341c572b24a1e4ab0ce3

Download Submit
memory/2384-8-0x0000000076C21000-0x0000000076C22000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000076C10000-0x0000000076D20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-16-0x0000000000420000-0x00000000004C3000-memory.dmp

Filesize
652KB

Download
memory/2384-18-0x0000000076C10000-0x0000000076D20000-memory.dmp

Filesize
1.1MB

Download