Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ffumgqx.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ffumgqx.dll
Resource
win10v2004-20240426-en
General
-
Target
65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe
-
Size
720KB
-
MD5
65e52dca58cfd731f7956d6be27fe05b
-
SHA1
b1737bf2456d9b9bf8c66eb845ff6c5949731c87
-
SHA256
211b7b4180b5cecae6b56da91d98b9041d89500f8e1456c943c53add36772749
-
SHA512
5c95994227b199ae14ba0d8477bd0ac28ea6b660a348f9edc6afc9ef3d1e593e1f0d84448077386447e5f02db6fe55d9d86b70d33eb8b7e4a2d5319443ef83ef
-
SSDEEP
12288:72Ld3OqCOnrAd7F3ZzrtbOmAmIwa59gnaeqlqMkl8eqEE+Wfc8vy4hf:6Ld3OBWrmx3ZzOOa56k3kiejD86U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4048 bedhjggbdh.exe -
Loads dropped DLL 2 IoCs
pid Process 1764 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 1764 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4508 4048 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3180 wmic.exe Token: SeSecurityPrivilege 3180 wmic.exe Token: SeTakeOwnershipPrivilege 3180 wmic.exe Token: SeLoadDriverPrivilege 3180 wmic.exe Token: SeSystemProfilePrivilege 3180 wmic.exe Token: SeSystemtimePrivilege 3180 wmic.exe Token: SeProfSingleProcessPrivilege 3180 wmic.exe Token: SeIncBasePriorityPrivilege 3180 wmic.exe Token: SeCreatePagefilePrivilege 3180 wmic.exe Token: SeBackupPrivilege 3180 wmic.exe Token: SeRestorePrivilege 3180 wmic.exe Token: SeShutdownPrivilege 3180 wmic.exe Token: SeDebugPrivilege 3180 wmic.exe Token: SeSystemEnvironmentPrivilege 3180 wmic.exe Token: SeRemoteShutdownPrivilege 3180 wmic.exe Token: SeUndockPrivilege 3180 wmic.exe Token: SeManageVolumePrivilege 3180 wmic.exe Token: 33 3180 wmic.exe Token: 34 3180 wmic.exe Token: 35 3180 wmic.exe Token: 36 3180 wmic.exe Token: SeIncreaseQuotaPrivilege 3180 wmic.exe Token: SeSecurityPrivilege 3180 wmic.exe Token: SeTakeOwnershipPrivilege 3180 wmic.exe Token: SeLoadDriverPrivilege 3180 wmic.exe Token: SeSystemProfilePrivilege 3180 wmic.exe Token: SeSystemtimePrivilege 3180 wmic.exe Token: SeProfSingleProcessPrivilege 3180 wmic.exe Token: SeIncBasePriorityPrivilege 3180 wmic.exe Token: SeCreatePagefilePrivilege 3180 wmic.exe Token: SeBackupPrivilege 3180 wmic.exe Token: SeRestorePrivilege 3180 wmic.exe Token: SeShutdownPrivilege 3180 wmic.exe Token: SeDebugPrivilege 3180 wmic.exe Token: SeSystemEnvironmentPrivilege 3180 wmic.exe Token: SeRemoteShutdownPrivilege 3180 wmic.exe Token: SeUndockPrivilege 3180 wmic.exe Token: SeManageVolumePrivilege 3180 wmic.exe Token: 33 3180 wmic.exe Token: 34 3180 wmic.exe Token: 35 3180 wmic.exe Token: 36 3180 wmic.exe Token: SeIncreaseQuotaPrivilege 4860 wmic.exe Token: SeSecurityPrivilege 4860 wmic.exe Token: SeTakeOwnershipPrivilege 4860 wmic.exe Token: SeLoadDriverPrivilege 4860 wmic.exe Token: SeSystemProfilePrivilege 4860 wmic.exe Token: SeSystemtimePrivilege 4860 wmic.exe Token: SeProfSingleProcessPrivilege 4860 wmic.exe Token: SeIncBasePriorityPrivilege 4860 wmic.exe Token: SeCreatePagefilePrivilege 4860 wmic.exe Token: SeBackupPrivilege 4860 wmic.exe Token: SeRestorePrivilege 4860 wmic.exe Token: SeShutdownPrivilege 4860 wmic.exe Token: SeDebugPrivilege 4860 wmic.exe Token: SeSystemEnvironmentPrivilege 4860 wmic.exe Token: SeRemoteShutdownPrivilege 4860 wmic.exe Token: SeUndockPrivilege 4860 wmic.exe Token: SeManageVolumePrivilege 4860 wmic.exe Token: 33 4860 wmic.exe Token: 34 4860 wmic.exe Token: 35 4860 wmic.exe Token: 36 4860 wmic.exe Token: SeIncreaseQuotaPrivilege 4860 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1764 wrote to memory of 4048 1764 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 85 PID 1764 wrote to memory of 4048 1764 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 85 PID 1764 wrote to memory of 4048 1764 65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe 85 PID 4048 wrote to memory of 3180 4048 bedhjggbdh.exe 86 PID 4048 wrote to memory of 3180 4048 bedhjggbdh.exe 86 PID 4048 wrote to memory of 3180 4048 bedhjggbdh.exe 86 PID 4048 wrote to memory of 4860 4048 bedhjggbdh.exe 92 PID 4048 wrote to memory of 4860 4048 bedhjggbdh.exe 92 PID 4048 wrote to memory of 4860 4048 bedhjggbdh.exe 92 PID 4048 wrote to memory of 4148 4048 bedhjggbdh.exe 94 PID 4048 wrote to memory of 4148 4048 bedhjggbdh.exe 94 PID 4048 wrote to memory of 4148 4048 bedhjggbdh.exe 94 PID 4048 wrote to memory of 4836 4048 bedhjggbdh.exe 96 PID 4048 wrote to memory of 4836 4048 bedhjggbdh.exe 96 PID 4048 wrote to memory of 4836 4048 bedhjggbdh.exe 96 PID 4048 wrote to memory of 4928 4048 bedhjggbdh.exe 98 PID 4048 wrote to memory of 4928 4048 bedhjggbdh.exe 98 PID 4048 wrote to memory of 4928 4048 bedhjggbdh.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65e52dca58cfd731f7956d6be27fe05b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exeC:\Users\Admin\AppData\Local\Temp\bedhjggbdh.exe 3,9,8,9,3,8,6,1,8,6,2 LEdBOzorKjEqGi1QTDpHRjw3LxgpTEJLT0ZPQ0NDNSoeLDtBSlFBPjwqMTA0KxgmQEE+PCgaLU1JRztSO05eQT47Ly0sLzQYKVI9TFRCSVdMT0Q3Z2xubjcmJ2pvbihDPU1JKktHRyo5Sk8mQ0xDRhgmQERDQkNDQjpuP0pAPSo0PD1KUz5NP1JEQTUsTjRHP0cXLDwrPG5panJsZRcsPCw8JSseLDsrNCopGi48LjsqKBgmQS03LCkaLU1JRztSO05eSExHUzg7UDoYKU9KSUJSOkxWQk1GQDUaLU1JRztSO05eRjtLQjQYJkJQP15NTEo6Fyc8VT1ZQkU+SkZFPTQdJ0JOS05dP0lHTlA9TDwoGi1RPzlFSFFJVFdPUEk0GCZTRTcxGClCUCg1FyxKT01MQ0tCVk88STtJTD1DSz4+PUxPRDcfJ0NRXElNRVFBR0Q1bnByXBgmTz1OVEpIR0s+V0xQPUxePDtXUDQqFyxAQ0M9UjsuFydAUFc+WEY7S0Y6VzxLO0xYSE5DQTReWGlrXx8nPk1URURGPjxZSEg3Ly0uJig0MCgwMS8sLjAtFyxIO1E5RkpCQ1dAS0tOQERGO3FpbVwdJ05IRT87LisrLjYvMTUvKx4sO0dOS0RJQDxZUkZEPTQ0Jyw2JywuLiwiLTcpLjkrKyg+RA==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349539.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349539.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349539.txt bios get version3⤵PID:4148
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349539.txt bios get version3⤵PID:4836
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716349539.txt bios get version3⤵PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 6603⤵
- Program crash
PID:4508
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 40481⤵PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
58B
MD5f8e2f71e123c5a848f2a83d2a7aef11e
SHA15e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA25679dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA5128d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e
-
Filesize
917KB
MD5e3dd5116016dd874802f8ce00b4f853e
SHA16a0f3c525c6b840540d83a74f282bb1fc367abfa
SHA2565917e2430171b9d3182980fb245e50ae2165e537d4e14b763cfb8e9e87af88f7
SHA512f8175f59390599bd53c055d4c6b349f27eaa7b8eabb57b84ecdab5c5095eadc66e751192bdba976e1bff8e18a07a033907da524037beed5d414ba913003a54b2
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
126KB
MD5691ca53c333f7121772a578c5ef52e03
SHA17b23651f694baf236804c4e53ed207bd61d73dea
SHA25667f8f5af2fd66ef7ec1dceace9b8f0fa4894dd4a2f19df181c93806700768be1
SHA5120b37221534648a9e9d0ba4b6aef978e99661fad140a79e0968330828ca5c671474aa0f25a5c7a1cad6136fdc36f2c2a8dd84a5d0b720eb971b0312dce95f91d7