1328ef967bdb08e0e5f8802fe69f3caa9b0cf4d1268c52eff85c38e002cdf79d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 00:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe
Size

574KB
MD5

73b642f0b660ad41d2211fbb26e94aab
SHA1

303e75230eb7511312cfe363a33a39c6b90e962e
SHA256

1328ef967bdb08e0e5f8802fe69f3caa9b0cf4d1268c52eff85c38e002cdf79d
SHA512

cfa8ee13af6130e76c3eb3947c6cb8e502ca726aa7f25d0a09a464dac48c4931d4b2f70ee9f03c1825294389376ad273be03a9c30581ebaead49f8aa2f0802f5
SSDEEP

12288:LgvB7Rr2tkNWyN4gRn3Da7Napr9Za0qY1hMsVIaUu:Lgzr6klvCIhx1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2968	chcabfccceb.exe

Loads dropped DLL 10 IoCs

pid	Process
2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe
2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe
2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	2968	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	wmic.exe
Token: SeSecurityPrivilege	2964	wmic.exe
Token: SeTakeOwnershipPrivilege	2964	wmic.exe
Token: SeLoadDriverPrivilege	2964	wmic.exe
Token: SeSystemProfilePrivilege	2964	wmic.exe
Token: SeSystemtimePrivilege	2964	wmic.exe
Token: SeProfSingleProcessPrivilege	2964	wmic.exe
Token: SeIncBasePriorityPrivilege	2964	wmic.exe
Token: SeCreatePagefilePrivilege	2964	wmic.exe
Token: SeBackupPrivilege	2964	wmic.exe
Token: SeRestorePrivilege	2964	wmic.exe
Token: SeShutdownPrivilege	2964	wmic.exe
Token: SeDebugPrivilege	2964	wmic.exe
Token: SeSystemEnvironmentPrivilege	2964	wmic.exe
Token: SeRemoteShutdownPrivilege	2964	wmic.exe
Token: SeUndockPrivilege	2964	wmic.exe
Token: SeManageVolumePrivilege	2964	wmic.exe
Token: 33	2964	wmic.exe
Token: 34	2964	wmic.exe
Token: 35	2964	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2292	wmic.exe
Token: SeSecurityPrivilege	2292	wmic.exe
Token: SeTakeOwnershipPrivilege	2292	wmic.exe
Token: SeLoadDriverPrivilege	2292	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2968	2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2968	2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2968	2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2968	2340	73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2964	2968	chcabfccceb.exe	29
PID 2968 wrote to memory of 2964	2968	chcabfccceb.exe	29
PID 2968 wrote to memory of 2964	2968	chcabfccceb.exe	29
PID 2968 wrote to memory of 2964	2968	chcabfccceb.exe	29
PID 2968 wrote to memory of 2588	2968	chcabfccceb.exe	32
PID 2968 wrote to memory of 2588	2968	chcabfccceb.exe	32
PID 2968 wrote to memory of 2588	2968	chcabfccceb.exe	32
PID 2968 wrote to memory of 2588	2968	chcabfccceb.exe	32
PID 2968 wrote to memory of 2292	2968	chcabfccceb.exe	34
PID 2968 wrote to memory of 2292	2968	chcabfccceb.exe	34
PID 2968 wrote to memory of 2292	2968	chcabfccceb.exe	34
PID 2968 wrote to memory of 2292	2968	chcabfccceb.exe	34
PID 2968 wrote to memory of 2620	2968	chcabfccceb.exe	36
PID 2968 wrote to memory of 2620	2968	chcabfccceb.exe	36
PID 2968 wrote to memory of 2620	2968	chcabfccceb.exe	36
PID 2968 wrote to memory of 2620	2968	chcabfccceb.exe	36
PID 2968 wrote to memory of 2472	2968	chcabfccceb.exe	38
PID 2968 wrote to memory of 2472	2968	chcabfccceb.exe	38
PID 2968 wrote to memory of 2472	2968	chcabfccceb.exe	38
PID 2968 wrote to memory of 2472	2968	chcabfccceb.exe	38
PID 2968 wrote to memory of 2508	2968	chcabfccceb.exe	40
PID 2968 wrote to memory of 2508	2968	chcabfccceb.exe	40
PID 2968 wrote to memory of 2508	2968	chcabfccceb.exe	40
PID 2968 wrote to memory of 2508	2968	chcabfccceb.exe	40

C:\Users\Admin\AppData\Local\Temp\73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73b642f0b660ad41d2211fbb26e94aab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\chcabfccceb.exe
  C:\Users\Admin\AppData\Local\Temp\chcabfccceb.exe 6-6-3-6-1-3-6-1-2-4-1 KUpGPjwzMzgyHC5NTz9KSEE3Lx4rTT9OVElRSENDOy0fKT5GTVNGPjw3LzIwGiw9SEE3Lx4rT0xJQU9CUVlIQjk3MTI0Gi5QP1FUQVFZT09GPGVuc242LiltYmx1K25nYylgamoqXmBxWy1namVpGiw9S0Y9SkdAPBopQSs8KisfLUAxNycuGi5BLTwrLR8pPjE3LC4aLkIxPCcrHSlPT0lDUz9TWUpPQ1U+PVg7HC5KTEw+VEBOXkNRSzs3HSlPT0lDUz9TWUg+R0Q6QWBwZXJZZ2xeXi8aLkNURFlPT0Y8ZW5zbjYuKWZiX3NsbC1wcS5uaW9sZGtuci1XS19fUWlxK2x0W0NgbGx2bV5KaWNdcjAtKC0xLS0vLXJrcWxfa24fLD9XQ1tCRz5JQ01CNx8tRE5NTlw8UUxRUkNOPC8aLE5HPkhKV0tUWU9PRjwdKVVLOTEaKUFNMDovMDMuHylMUkhTRkdEXVNERj1MR0RGR0BFQVRMRjoaLkZNXlBRTU5DSj88cWx0YxwuTD9RT1FLQ01FW1RNP09ZQz5TUjsuHylCRj5EVTcwHitITVlBU00+R0hBW0RIPU9TT1E/QztiYGZtYhouQUlWTEhOOz5cQ086MjMsLjIoLzMoMC4qHy1QSEc/OiszLy0yLy84LTMdKUNMUU1KS0A+WVFDTEI3MS0zLiwqLi8pLiw5MzQ5LzMnSkw=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716682207.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716682207.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716682207.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716682207.txt bios get version
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81716682207.txt bios get version
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81716682207.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\chcabfccceb.exe

Filesize
808KB

MD5
95eae713f3e1361ef1bd7692e499d0ea

SHA1
aa83c74da13a19b82dca9ec0b387e2e8497472be

SHA256
a530e425ae4d15a6ba2b5bc98bf7e48764e331e8adfb6e8b9e671ae6f0da4121

SHA512
aa0a62ff8cd445fc7dbdf564188a35679a1d3dd13123b02ea568f5baac7ef7994cb6906f94e5a2c7150e8d35ea94fc04fefe0e4eed613685d9f8665c9a0fd53e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi12A7.tmp\fat.dll

Filesize
120KB

MD5
a8d5f95a46df6da00d76794551a98883

SHA1
0e17c53b0f34265b350283b8ffbb6dc9e7e4291d

SHA256
d6d045f56c06235e9c1ec704776f3fcd5f38db405c6a51d989d8b4926fa42c00

SHA512
c65e86a687488f757a3168b4c34321f0ba5947ba9aaa89c33483ea487694c4a8ac41766dea54d6059452d63de2c17bf9ec71ff156a115e9b48e37dca7762274b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi12A7.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit