Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
beejgggbdj.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
beejgggbdj.exe
Resource
win10v2004-20240508-en
General
-
Target
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
-
Size
370KB
-
MD5
6971d27aa973f8fb573ab4567dfc078c
-
SHA1
c669c1ec98c550bf60dc381d6034558787b77fe6
-
SHA256
28b9f5ab1343a27bae716f16c19cae56c9ffdb05192c8d32e7ff4e3e74af14d6
-
SHA512
04c671ae775f0190ca0cb2ff50e9195c7fa6e3e1eb9b3145bdcb854aa24b019b85a2a3917f1091fabdbf373d11ac48064c0a504a7e0726932ac68af844f56adc
-
SSDEEP
6144:/FJ0BYUlTO86kVJ6UTMZmk+PEyeU29GDL++r+gh1NGMmVEtUuacNfgU7:OYUlStkVYYk+PEXU6ERzEMmS3NNfgc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
beejgggbdj.exepid process 2324 beejgggbdj.exe -
Loads dropped DLL 5 IoCs
Processes:
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exeWerFault.exepid process 2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2328 2324 WerFault.exe beejgggbdj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2964 wmic.exe Token: SeSecurityPrivilege 2964 wmic.exe Token: SeTakeOwnershipPrivilege 2964 wmic.exe Token: SeLoadDriverPrivilege 2964 wmic.exe Token: SeSystemProfilePrivilege 2964 wmic.exe Token: SeSystemtimePrivilege 2964 wmic.exe Token: SeProfSingleProcessPrivilege 2964 wmic.exe Token: SeIncBasePriorityPrivilege 2964 wmic.exe Token: SeCreatePagefilePrivilege 2964 wmic.exe Token: SeBackupPrivilege 2964 wmic.exe Token: SeRestorePrivilege 2964 wmic.exe Token: SeShutdownPrivilege 2964 wmic.exe Token: SeDebugPrivilege 2964 wmic.exe Token: SeSystemEnvironmentPrivilege 2964 wmic.exe Token: SeRemoteShutdownPrivilege 2964 wmic.exe Token: SeUndockPrivilege 2964 wmic.exe Token: SeManageVolumePrivilege 2964 wmic.exe Token: 33 2964 wmic.exe Token: 34 2964 wmic.exe Token: 35 2964 wmic.exe Token: SeIncreaseQuotaPrivilege 2964 wmic.exe Token: SeSecurityPrivilege 2964 wmic.exe Token: SeTakeOwnershipPrivilege 2964 wmic.exe Token: SeLoadDriverPrivilege 2964 wmic.exe Token: SeSystemProfilePrivilege 2964 wmic.exe Token: SeSystemtimePrivilege 2964 wmic.exe Token: SeProfSingleProcessPrivilege 2964 wmic.exe Token: SeIncBasePriorityPrivilege 2964 wmic.exe Token: SeCreatePagefilePrivilege 2964 wmic.exe Token: SeBackupPrivilege 2964 wmic.exe Token: SeRestorePrivilege 2964 wmic.exe Token: SeShutdownPrivilege 2964 wmic.exe Token: SeDebugPrivilege 2964 wmic.exe Token: SeSystemEnvironmentPrivilege 2964 wmic.exe Token: SeRemoteShutdownPrivilege 2964 wmic.exe Token: SeUndockPrivilege 2964 wmic.exe Token: SeManageVolumePrivilege 2964 wmic.exe Token: 33 2964 wmic.exe Token: 34 2964 wmic.exe Token: 35 2964 wmic.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe Token: SeIncreaseQuotaPrivilege 2572 wmic.exe Token: SeSecurityPrivilege 2572 wmic.exe Token: SeTakeOwnershipPrivilege 2572 wmic.exe Token: SeLoadDriverPrivilege 2572 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exebeejgggbdj.exedescription pid process target process PID 2960 wrote to memory of 2324 2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe beejgggbdj.exe PID 2960 wrote to memory of 2324 2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe beejgggbdj.exe PID 2960 wrote to memory of 2324 2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe beejgggbdj.exe PID 2960 wrote to memory of 2324 2960 6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe beejgggbdj.exe PID 2324 wrote to memory of 2964 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2964 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2964 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2964 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2624 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2624 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2624 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2624 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2572 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2572 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2572 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2572 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 3024 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 3024 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 3024 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 3024 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2448 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2448 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2448 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2448 2324 beejgggbdj.exe wmic.exe PID 2324 wrote to memory of 2328 2324 beejgggbdj.exe WerFault.exe PID 2324 wrote to memory of 2328 2324 beejgggbdj.exe WerFault.exe PID 2324 wrote to memory of 2328 2324 beejgggbdj.exe WerFault.exe PID 2324 wrote to memory of 2328 2324 beejgggbdj.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exeC:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe 2\5\4\8\5\2\8\3\0\9\0 LUtFPDgvMTU0KSAtTlE6S0c8OjAXL0xAUE9KUENGRDQwHipAQU5SQUE9JyAtPkU8OC4YLFBJT0JQP0xaRzw6MBcvUUBOTkBQV1JSQz1mb3BoNS0ncHJtLkJAT0MoUkdNLThQTilFRkFNGCxDQ0lBRkU8OB4nQTE0LS8bKzwtOyUuICZEMTgpKRstPDE9JDEeKkAtOCspHS9HUk0/UTtPXUhPSU1BQVQ5GCpOSkxETENSWkFNRz81HS9HUk0/UTtPXUY+TTw9HipBUEBdTU9MNCAtQFQ9WkFFQUxATkM4HCdDTUtRXzlSTVJPPU07LR0vS0g/SUdRSlNXUlJDPR4qUkU4MBgsREoxOxsrSlBMTEZNPF9VQEg7Sks9Rk04R0NQTkQ4HidGU1ZSU0lQQUhDNXFybGUeKk49T1NKS0lFR11QTz1NXTw+WUo9MBsrQERCPVU9KCAtRE9XP1dGPk1AQ11ASjtNV0hRRTs9ZFxoa2AeJ0FPTk5KSj08WkdIOjInOCwsLSgpNysrMSkyHipMOU0/RElFQ19HSU9MPEpEOnRpdWMbK0xESz06MSs0NzItLisuLh0vO09VSUhHPEJXUUlERTssLicsLicvMCg1KC02LS44KjMqOE0=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version3⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431188.txt bios get version3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 3683⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81716431188.txtFilesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exeFilesize
631KB
MD5d2a1a1694d83c0de4546154a6822b353
SHA1b51d347a08f4e92c4c757dea1b818ae9b88ede6d
SHA256506f8a65a5d0fe6f225535304756b21b01783e6ef92688f1fd31a64cd11685c6
SHA512ea2b5fd1bdb36f7a67b8ab6f54d58181b20b77ac376d88974e4f0a7dca40afcbaf85b3df24dea27ec3227dcfee789861d6a7c430c6f966b81a5e89d40fb1cb80