28b9f5ab1343a27bae716f16c19cae56c9ffdb05192c8d32e7ff4e3e74af14d6

General

Target

6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
Size

370KB
MD5

6971d27aa973f8fb573ab4567dfc078c
SHA1

c669c1ec98c550bf60dc381d6034558787b77fe6
SHA256

28b9f5ab1343a27bae716f16c19cae56c9ffdb05192c8d32e7ff4e3e74af14d6
SHA512

04c671ae775f0190ca0cb2ff50e9195c7fa6e3e1eb9b3145bdcb854aa24b019b85a2a3917f1091fabdbf373d11ac48064c0a504a7e0726932ac68af844f56adc
SSDEEP

6144:/FJ0BYUlTO86kVJ6UTMZmk+PEyeU29GDL++r+gh1NGMmVEtUuacNfgU7:OYUlStkVYYk+PEXU6ERzEMmS3NNfgc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

beejgggbdj.exe

pid process

2324 beejgggbdj.exe
Loads dropped DLL 5 IoCs

Processes:

6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exeWerFault.exe

pid process

2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
2328 WerFault.exe
2328 WerFault.exe
2328 WerFault.exe
2328 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2328 2324 WerFault.exe beejgggbdj.exe

pid	process
2324	beejgggbdj.exe

pid	process
2960	6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

pid	pid_target	process	target process
2328	2324	WerFault.exe	beejgggbdj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2624	wmic.exe
Token: SeSecurityPrivilege	2624	wmic.exe
Token: SeTakeOwnershipPrivilege	2624	wmic.exe
Token: SeLoadDriverPrivilege	2624	wmic.exe
Token: SeSystemProfilePrivilege	2624	wmic.exe
Token: SeSystemtimePrivilege	2624	wmic.exe
Token: SeProfSingleProcessPrivilege	2624	wmic.exe
Token: SeIncBasePriorityPrivilege	2624	wmic.exe
Token: SeCreatePagefilePrivilege	2624	wmic.exe
Token: SeBackupPrivilege	2624	wmic.exe
Token: SeRestorePrivilege	2624	wmic.exe
Token: SeShutdownPrivilege	2624	wmic.exe
Token: SeDebugPrivilege	2624	wmic.exe
Token: SeSystemEnvironmentPrivilege	2624	wmic.exe
Token: SeRemoteShutdownPrivilege	2624	wmic.exe
Token: SeUndockPrivilege	2624	wmic.exe
Token: SeManageVolumePrivilege	2624	wmic.exe
Token: 33	2624	wmic.exe
Token: 34	2624	wmic.exe
Token: 35	2624	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exebeejgggbdj.exe

description	pid	process	target process
PID 2960 wrote to memory of 2324	2960	6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe	beejgggbdj.exe
PID 2960 wrote to memory of 2324	2960	6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe	beejgggbdj.exe
PID 2960 wrote to memory of 2324	2960	6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe	beejgggbdj.exe
PID 2960 wrote to memory of 2324	2960	6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe	beejgggbdj.exe
PID 2324 wrote to memory of 2964	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2964	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2964	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2964	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2624	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2624	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2624	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2624	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2572	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2572	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2572	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2572	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 3024	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 3024	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 3024	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 3024	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2448	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2448	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2448	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2448	2324	beejgggbdj.exe	wmic.exe
PID 2324 wrote to memory of 2328	2324	beejgggbdj.exe	WerFault.exe
PID 2324 wrote to memory of 2328	2324	beejgggbdj.exe	WerFault.exe
PID 2324 wrote to memory of 2328	2324	beejgggbdj.exe	WerFault.exe
PID 2324 wrote to memory of 2328	2324	beejgggbdj.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe
C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe 2\5\4\8\5\2\8\3\0\9\0 LUtFPDgvMTU0KSAtTlE6S0c8OjAXL0xAUE9KUENGRDQwHipAQU5SQUE9JyAtPkU8OC4YLFBJT0JQP0xaRzw6MBcvUUBOTkBQV1JSQz1mb3BoNS0ncHJtLkJAT0MoUkdNLThQTilFRkFNGCxDQ0lBRkU8OB4nQTE0LS8bKzwtOyUuICZEMTgpKRstPDE9JDEeKkAtOCspHS9HUk0/UTtPXUhPSU1BQVQ5GCpOSkxETENSWkFNRz81HS9HUk0/UTtPXUY+TTw9HipBUEBdTU9MNCAtQFQ9WkFFQUxATkM4HCdDTUtRXzlSTVJPPU07LR0vS0g/SUdRSlNXUlJDPR4qUkU4MBgsREoxOxsrSlBMTEZNPF9VQEg7Sks9Rk04R0NQTkQ4HidGU1ZSU0lQQUhDNXFybGUeKk49T1NKS0lFR11QTz1NXTw+WUo9MBsrQERCPVU9KCAtRE9XP1dGPk1AQ11ASjtNV0hRRTs9ZFxoa2AeJ0FPTk5KSj08WkdIOjInOCwsLSgpNysrMSkyHipMOU0/RElFQ19HSU9MPEpEOnRpdWMbK0xESz06MSs0NzItLisuLh0vO09VSUhHPEJXUUlERTssLicsLicvMCg1KC02LS44KjMqOE0=
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version
3⤵
PID:3024

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version
3⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 368
3⤵
- Loads dropped DLL
- Program crash
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716431188.txt
Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe
Filesize
631KB

MD5
d2a1a1694d83c0de4546154a6822b353

SHA1
b51d347a08f4e92c4c757dea1b818ae9b88ede6d

SHA256
506f8a65a5d0fe6f225535304756b21b01783e6ef92688f1fd31a64cd11685c6

SHA512
ea2b5fd1bdb36f7a67b8ab6f54d58181b20b77ac376d88974e4f0a7dca40afcbaf85b3df24dea27ec3227dcfee789861d6a7c430c6f966b81a5e89d40fb1cb80

Download Submit

Analysis

Sharing