Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6971d27aa973f8fb573ab4567dfc078c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
beejgggbdj.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
beejgggbdj.exe
Resource
win10v2004-20240508-en
General
-
Target
beejgggbdj.exe
-
Size
631KB
-
MD5
d2a1a1694d83c0de4546154a6822b353
-
SHA1
b51d347a08f4e92c4c757dea1b818ae9b88ede6d
-
SHA256
506f8a65a5d0fe6f225535304756b21b01783e6ef92688f1fd31a64cd11685c6
-
SHA512
ea2b5fd1bdb36f7a67b8ab6f54d58181b20b77ac376d88974e4f0a7dca40afcbaf85b3df24dea27ec3227dcfee789861d6a7c430c6f966b81a5e89d40fb1cb80
-
SSDEEP
12288:YZXMuieDmqHfMuDEJ15rwpARwgy/PS9KP8VmYn9XOs3Iy71W9D/xUlE+p56+7IR4:YN2SO3xwpARwn/qoP8VmYn9XOs3Iy71v
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2588 1968 WerFault.exe beejgggbdj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2188 wmic.exe Token: SeSecurityPrivilege 2188 wmic.exe Token: SeTakeOwnershipPrivilege 2188 wmic.exe Token: SeLoadDriverPrivilege 2188 wmic.exe Token: SeSystemProfilePrivilege 2188 wmic.exe Token: SeSystemtimePrivilege 2188 wmic.exe Token: SeProfSingleProcessPrivilege 2188 wmic.exe Token: SeIncBasePriorityPrivilege 2188 wmic.exe Token: SeCreatePagefilePrivilege 2188 wmic.exe Token: SeBackupPrivilege 2188 wmic.exe Token: SeRestorePrivilege 2188 wmic.exe Token: SeShutdownPrivilege 2188 wmic.exe Token: SeDebugPrivilege 2188 wmic.exe Token: SeSystemEnvironmentPrivilege 2188 wmic.exe Token: SeRemoteShutdownPrivilege 2188 wmic.exe Token: SeUndockPrivilege 2188 wmic.exe Token: SeManageVolumePrivilege 2188 wmic.exe Token: 33 2188 wmic.exe Token: 34 2188 wmic.exe Token: 35 2188 wmic.exe Token: SeIncreaseQuotaPrivilege 2188 wmic.exe Token: SeSecurityPrivilege 2188 wmic.exe Token: SeTakeOwnershipPrivilege 2188 wmic.exe Token: SeLoadDriverPrivilege 2188 wmic.exe Token: SeSystemProfilePrivilege 2188 wmic.exe Token: SeSystemtimePrivilege 2188 wmic.exe Token: SeProfSingleProcessPrivilege 2188 wmic.exe Token: SeIncBasePriorityPrivilege 2188 wmic.exe Token: SeCreatePagefilePrivilege 2188 wmic.exe Token: SeBackupPrivilege 2188 wmic.exe Token: SeRestorePrivilege 2188 wmic.exe Token: SeShutdownPrivilege 2188 wmic.exe Token: SeDebugPrivilege 2188 wmic.exe Token: SeSystemEnvironmentPrivilege 2188 wmic.exe Token: SeRemoteShutdownPrivilege 2188 wmic.exe Token: SeUndockPrivilege 2188 wmic.exe Token: SeManageVolumePrivilege 2188 wmic.exe Token: 33 2188 wmic.exe Token: 34 2188 wmic.exe Token: 35 2188 wmic.exe Token: SeIncreaseQuotaPrivilege 2880 wmic.exe Token: SeSecurityPrivilege 2880 wmic.exe Token: SeTakeOwnershipPrivilege 2880 wmic.exe Token: SeLoadDriverPrivilege 2880 wmic.exe Token: SeSystemProfilePrivilege 2880 wmic.exe Token: SeSystemtimePrivilege 2880 wmic.exe Token: SeProfSingleProcessPrivilege 2880 wmic.exe Token: SeIncBasePriorityPrivilege 2880 wmic.exe Token: SeCreatePagefilePrivilege 2880 wmic.exe Token: SeBackupPrivilege 2880 wmic.exe Token: SeRestorePrivilege 2880 wmic.exe Token: SeShutdownPrivilege 2880 wmic.exe Token: SeDebugPrivilege 2880 wmic.exe Token: SeSystemEnvironmentPrivilege 2880 wmic.exe Token: SeRemoteShutdownPrivilege 2880 wmic.exe Token: SeUndockPrivilege 2880 wmic.exe Token: SeManageVolumePrivilege 2880 wmic.exe Token: 33 2880 wmic.exe Token: 34 2880 wmic.exe Token: 35 2880 wmic.exe Token: SeIncreaseQuotaPrivilege 832 wmic.exe Token: SeSecurityPrivilege 832 wmic.exe Token: SeTakeOwnershipPrivilege 832 wmic.exe Token: SeLoadDriverPrivilege 832 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
beejgggbdj.exedescription pid process target process PID 1968 wrote to memory of 2188 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2188 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2188 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2188 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2880 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2880 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2880 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2880 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 832 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 832 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 832 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 832 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2656 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2656 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2656 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2656 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2948 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2948 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2948 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2948 1968 beejgggbdj.exe wmic.exe PID 1968 wrote to memory of 2588 1968 beejgggbdj.exe WerFault.exe PID 1968 wrote to memory of 2588 1968 beejgggbdj.exe WerFault.exe PID 1968 wrote to memory of 2588 1968 beejgggbdj.exe WerFault.exe PID 1968 wrote to memory of 2588 1968 beejgggbdj.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe"C:\Users\Admin\AppData\Local\Temp\beejgggbdj.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431189.txt bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431189.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431189.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431189.txt bios get version2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716431189.txt bios get version2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 3762⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81716431189.txtFilesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51