211b7b4180b5cecae6b56da91d98b9041d89500f8e1456c943c53add36772749

General

Target

65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
Size

720KB
MD5

65e52dca58cfd731f7956d6be27fe05b
SHA1

b1737bf2456d9b9bf8c66eb845ff6c5949731c87
SHA256

211b7b4180b5cecae6b56da91d98b9041d89500f8e1456c943c53add36772749
SHA512

5c95994227b199ae14ba0d8477bd0ac28ea6b660a348f9edc6afc9ef3d1e593e1f0d84448077386447e5f02db6fe55d9d86b70d33eb8b7e4a2d5319443ef83ef
SSDEEP

12288:72Ld3OqCOnrAd7F3ZzrtbOmAmIwa59gnaeqlqMkl8eqEE+Wfc8vy4hf:6Ld3OBWrmx3ZzOOa56k3kiejD86U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bedhjggbdh.exe

pid process

2556 bedhjggbdh.exe

pid	process
2556	bedhjggbdh.exe

Loads dropped DLL 11 IoCs

Processes:

65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exeWerFault.exe

pid	process
1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

864 2556 WerFault.exe bedhjggbdh.exe

pid	pid_target	process	target process
864	2556	WerFault.exe	bedhjggbdh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2384	wmic.exe
Token: SeSecurityPrivilege	2384	wmic.exe
Token: SeTakeOwnershipPrivilege	2384	wmic.exe
Token: SeLoadDriverPrivilege	2384	wmic.exe
Token: SeSystemProfilePrivilege	2384	wmic.exe
Token: SeSystemtimePrivilege	2384	wmic.exe
Token: SeProfSingleProcessPrivilege	2384	wmic.exe
Token: SeIncBasePriorityPrivilege	2384	wmic.exe
Token: SeCreatePagefilePrivilege	2384	wmic.exe
Token: SeBackupPrivilege	2384	wmic.exe
Token: SeRestorePrivilege	2384	wmic.exe
Token: SeShutdownPrivilege	2384	wmic.exe
Token: SeDebugPrivilege	2384	wmic.exe
Token: SeSystemEnvironmentPrivilege	2384	wmic.exe
Token: SeRemoteShutdownPrivilege	2384	wmic.exe
Token: SeUndockPrivilege	2384	wmic.exe
Token: SeManageVolumePrivilege	2384	wmic.exe
Token: 33	2384	wmic.exe
Token: 34	2384	wmic.exe
Token: 35	2384	wmic.exe
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exebedhjggbdh.exe

description	pid	process	target process
PID 1732 wrote to memory of 2556	1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe	bedhjggbdh.exe
PID 1732 wrote to memory of 2556	1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe	bedhjggbdh.exe
PID 1732 wrote to memory of 2556	1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe	bedhjggbdh.exe
PID 1732 wrote to memory of 2556	1732	65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe	bedhjggbdh.exe
PID 2556 wrote to memory of 2728	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2728	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2728	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2728	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2384	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2384	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2384	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2384	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2276	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2276	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2276	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2276	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2436	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2436	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2436	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 2436	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 3012	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 3012	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 3012	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 3012	2556	bedhjggbdh.exe	wmic.exe
PID 2556 wrote to memory of 864	2556	bedhjggbdh.exe	WerFault.exe
PID 2556 wrote to memory of 864	2556	bedhjggbdh.exe	WerFault.exe
PID 2556 wrote to memory of 864	2556	bedhjggbdh.exe	WerFault.exe
PID 2556 wrote to memory of 864	2556	bedhjggbdh.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exe
C:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exe 3,9,8,9,3,8,6,1,8,6,2 LEdBOzorKjEqGi1QTDpHRjw3LxgpTEJLT0ZPQ0NDNSoeLDtBSlFBPjwqMTA0KxgmQEE+PCgaLU1JRztSO05eQT47Ly0sLzQYKVI9TFRCSVdMT0Q3Z2xubjcmJ2pvbihDPU1JKktHRyo5Sk8mQ0xDRhgmQERDQkNDQjpuP0pAPSo0PD1KUz5NP1JEQTUsTjRHP0cXLDwrPG5panJsZRcsPCw8JSseLDsrNCopGi48LjsqKBgmQS03LCkaLU1JRztSO05eSExHUzg7UDoYKU9KSUJSOkxWQk1GQDUaLU1JRztSO05eRjtLQjQYJkJQP15NTEo6Fyc8VT1ZQkU+SkZFPTQdJ0JOS05dP0lHTlA9TDwoGi1RPzlFSFFJVFdPUEk0GCZTRTcxGClCUCg1FyxKT01MQ0tCVk88STtJTD1DSz4+PUxPRDcfJ0NRXElNRVFBR0Q1bnByXBgmTz1OVEpIR0s+V0xQPUxePDtXUDQqFyxAQ0M9UjsuFydAUFc+WEY7S0Y6VzxLO0xYSE5DQTReWGlrXx8nPk1URURGPjxZSEg3Ly0uJig0MCgwMS8sLjAtFyxIO1E5RkpCQ1dAS0tOQERGO3FpbVwdJ05IRT87LisrLjYvMTUvKx4sO0dOS0RJQDxZUkZEPTQ0Jyw2JywuLiwiLTcpLjkrKyg+RA==
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version
3⤵
PID:2436

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716349537.txt bios get version
3⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 368
3⤵
- Loads dropped DLL
- Program crash
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716349537.txt
Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bedhjggbdh.exe
Filesize
917KB

MD5
e3dd5116016dd874802f8ce00b4f853e

SHA1
6a0f3c525c6b840540d83a74f282bb1fc367abfa

SHA256
5917e2430171b9d3182980fb245e50ae2165e537d4e14b763cfb8e9e87af88f7

SHA512
f8175f59390599bd53c055d4c6b349f27eaa7b8eabb57b84ecdab5c5095eadc66e751192bdba976e1bff8e18a07a033907da524037beed5d414ba913003a54b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\ffumgqx.dll
Filesize
126KB

MD5
691ca53c333f7121772a578c5ef52e03

SHA1
7b23651f694baf236804c4e53ed207bd61d73dea

SHA256
67f8f5af2fd66ef7ec1dceace9b8f0fa4894dd4a2f19df181c93806700768be1

SHA512
0b37221534648a9e9d0ba4b6aef978e99661fad140a79e0968330828ca5c671474aa0f25a5c7a1cad6136fdc36f2c2a8dd84a5d0b720eb971b0312dce95f91d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads