0f60b57ad8928e643c2136fedad76c09825a00f364af732717efee7091c70d80

General

Target

6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe
Size

339KB
MD5

6844568b9d358c338d3b024380cbea4c
SHA1

6ffe5d7a8b9befdabe71c95a3fe1383c54955405
SHA256

0f60b57ad8928e643c2136fedad76c09825a00f364af732717efee7091c70d80
SHA512

c874b49ada061769141a28a2b1ae7a18b600e428e7314ac19bb654c97ff8dafed9630f887a19dfcf7c94814e3827591e473b26e098d0a2ffb2475bb0873da3d5
SSDEEP

6144:EFJ0F2M8gr2q1RQqvTx595LeNUJPI6N33Tsa+zz0/aONN6y:1Cgr91m6dKNWgu33TZ/X5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

beeibhfehg.exe

pid process

2188 beeibhfehg.exe
Loads dropped DLL 5 IoCs

Processes:

6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exeWerFault.exe

pid process

2204 6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe
1156 WerFault.exe
1156 WerFault.exe
1156 WerFault.exe
1156 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1156 2188 WerFault.exe beeibhfehg.exe

pid	process
2188	beeibhfehg.exe

pid	process
2204	6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe

pid	pid_target	process	target process
1156	2188	WerFault.exe	beeibhfehg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2160	wmic.exe
Token: SeSecurityPrivilege	2160	wmic.exe
Token: SeTakeOwnershipPrivilege	2160	wmic.exe
Token: SeLoadDriverPrivilege	2160	wmic.exe
Token: SeSystemProfilePrivilege	2160	wmic.exe
Token: SeSystemtimePrivilege	2160	wmic.exe
Token: SeProfSingleProcessPrivilege	2160	wmic.exe
Token: SeIncBasePriorityPrivilege	2160	wmic.exe
Token: SeCreatePagefilePrivilege	2160	wmic.exe
Token: SeBackupPrivilege	2160	wmic.exe
Token: SeRestorePrivilege	2160	wmic.exe
Token: SeShutdownPrivilege	2160	wmic.exe
Token: SeDebugPrivilege	2160	wmic.exe
Token: SeSystemEnvironmentPrivilege	2160	wmic.exe
Token: SeRemoteShutdownPrivilege	2160	wmic.exe
Token: SeUndockPrivilege	2160	wmic.exe
Token: SeManageVolumePrivilege	2160	wmic.exe
Token: 33	2160	wmic.exe
Token: 34	2160	wmic.exe
Token: 35	2160	wmic.exe
Token: SeIncreaseQuotaPrivilege	2160	wmic.exe
Token: SeSecurityPrivilege	2160	wmic.exe
Token: SeTakeOwnershipPrivilege	2160	wmic.exe
Token: SeLoadDriverPrivilege	2160	wmic.exe
Token: SeSystemProfilePrivilege	2160	wmic.exe
Token: SeSystemtimePrivilege	2160	wmic.exe
Token: SeProfSingleProcessPrivilege	2160	wmic.exe
Token: SeIncBasePriorityPrivilege	2160	wmic.exe
Token: SeCreatePagefilePrivilege	2160	wmic.exe
Token: SeBackupPrivilege	2160	wmic.exe
Token: SeRestorePrivilege	2160	wmic.exe
Token: SeShutdownPrivilege	2160	wmic.exe
Token: SeDebugPrivilege	2160	wmic.exe
Token: SeSystemEnvironmentPrivilege	2160	wmic.exe
Token: SeRemoteShutdownPrivilege	2160	wmic.exe
Token: SeUndockPrivilege	2160	wmic.exe
Token: SeManageVolumePrivilege	2160	wmic.exe
Token: 33	2160	wmic.exe
Token: 34	2160	wmic.exe
Token: 35	2160	wmic.exe
Token: SeIncreaseQuotaPrivilege	2552	wmic.exe
Token: SeSecurityPrivilege	2552	wmic.exe
Token: SeTakeOwnershipPrivilege	2552	wmic.exe
Token: SeLoadDriverPrivilege	2552	wmic.exe
Token: SeSystemProfilePrivilege	2552	wmic.exe
Token: SeSystemtimePrivilege	2552	wmic.exe
Token: SeProfSingleProcessPrivilege	2552	wmic.exe
Token: SeIncBasePriorityPrivilege	2552	wmic.exe
Token: SeCreatePagefilePrivilege	2552	wmic.exe
Token: SeBackupPrivilege	2552	wmic.exe
Token: SeRestorePrivilege	2552	wmic.exe
Token: SeShutdownPrivilege	2552	wmic.exe
Token: SeDebugPrivilege	2552	wmic.exe
Token: SeSystemEnvironmentPrivilege	2552	wmic.exe
Token: SeRemoteShutdownPrivilege	2552	wmic.exe
Token: SeUndockPrivilege	2552	wmic.exe
Token: SeManageVolumePrivilege	2552	wmic.exe
Token: 33	2552	wmic.exe
Token: 34	2552	wmic.exe
Token: 35	2552	wmic.exe
Token: SeIncreaseQuotaPrivilege	2712	wmic.exe
Token: SeSecurityPrivilege	2712	wmic.exe
Token: SeTakeOwnershipPrivilege	2712	wmic.exe
Token: SeLoadDriverPrivilege	2712	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exebeeibhfehg.exe

description	pid	process	target process
PID 2204 wrote to memory of 2188	2204	6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe	beeibhfehg.exe
PID 2204 wrote to memory of 2188	2204	6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe	beeibhfehg.exe
PID 2204 wrote to memory of 2188	2204	6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe	beeibhfehg.exe
PID 2204 wrote to memory of 2188	2204	6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe	beeibhfehg.exe
PID 2188 wrote to memory of 2160	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2160	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2160	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2160	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2552	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2552	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2552	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2552	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2712	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2712	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2712	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2712	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2436	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2436	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2436	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2436	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2572	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2572	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2572	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 2572	2188	beeibhfehg.exe	wmic.exe
PID 2188 wrote to memory of 1156	2188	beeibhfehg.exe	WerFault.exe
PID 2188 wrote to memory of 1156	2188	beeibhfehg.exe	WerFault.exe
PID 2188 wrote to memory of 1156	2188	beeibhfehg.exe	WerFault.exe
PID 2188 wrote to memory of 1156	2188	beeibhfehg.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6844568b9d358c338d3b024380cbea4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\beeibhfehg.exe
C:\Users\Admin\AppData\Local\Temp\beeibhfehg.exe 1|8|9|9|8|4|0|3|1|7|8 LkhAOzUuMzAxMBguS0w5SEVEOi8ZJ009S05HTktGQzYpHyc7QEtQSUE8KzE2LicXJz9JQTwpGC5ISUY8UUNRXkI8PCowJygsICxSPkpVPUlWTU5MOmdtbG8yJiZrbnYrQz5LSiVLRkgpQU1PJ0FNPkYXJz9MRkJEQUM1bllmXU5QQXFKcjlfW28pby9oQFxtLUBfQnZlPmNcbkNEPm1rTFlURy5oY1tpXS9IWUFNXkNAV3BRPDBPV0NYa3ZlOyc5Q3hJbjttR0JCJHFxOG9HR0ZyYltuW0VhUnJtMTBJZ21PdGhqR21bNU1AWjldTE8fKDwwNSQoGCtELzwmKR8nOyo1KTEdLj0sPCUoFydANTosKhguSElGPFFDUV5JSkhOODpROSAsT0tHQ006S1dBVUlANhguSElGPFFDUV5HOUw9NF9ZaXNxZGsdMShdaV1hJS8vc2FvHSknWW5jZWhvXXEdKScqKjArMCcqHyc8Tz1bVU9LNhx6TUlDdRwvQlc+V0JFO0NBSkU6HyhATktLVjpOT1RSPko8LRcmTERBS0pSR1RXTElEOWhxc2kyLidYWmRlY2gtWlxnZ1ooJmplcS47ZTRnJz06P05rLFFFUE0+Zm1iYTEvOGxzNSkdbl1yLjwfbmBqKTQecmFvMjYqNSkpHUg/VFU8H2U8c0dJR0BVQFNYRkBFPHQYK1ZKPCsYLjxKKDUuNi4xGSdRTUVLQUlFXFY+REJHRDxBSUFERE5KSzUXJkFPX09UR0xIRTw0bG51Yh8oSkRMTElGRU5EXk5LREpWOzlVUzoxGSdHQTs8UDkxHS5CS148UEU5SUlAXj5GQkpQR0xBRDplWmRyXRcmPEtXS0tIOUNXQEc1LjA1LSopLyYwKiYtMi8fKEhASjhDREFMXEhHS1M5Q0M1cHJyZBknU0FEPDUtNDE3Kyg0Ki8oGCtETFZHRE45O1ZMRU1CPCopLiopJiosMTIpLDIwLDErKSZQSg==
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716403949.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716403949.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716403949.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716403949.txt bios get version
3⤵
PID:2436

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716403949.txt bios get version
3⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 368
3⤵
- Loads dropped DLL
- Program crash
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716403949.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\beeibhfehg.exe

Filesize
538KB

MD5
30276fb06882274f31d9e980a39de48b

SHA1
7279c1c58275dbece87fe1b4d902bf5eb5b4bb16

SHA256
3ad8a1582c1431181a5abc272bde5e18b2f96b97b022a71271b4f929f720e09f

SHA512
9ecafd09d84be4a1c9449f5e67dd39dc74141add91d8aeaa837e63d11d7cab6c0fd64de58f6ecd9e00eaf5b1d2fee864805f14ae54a76fb498b2d8d54a41311d

Download Submit

Analysis

Sharing