23715a39b7bf75785f3bc0521cfab6e427cb396486b0a1cedd4c9022abab1f3c

Analysis

max time kernel
134s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe
Size

582KB
MD5

852ca9b65bd1aef967f8513890f00a24
SHA1

ff25d0828624c70363e5d7b00fc8ab037986f6d4
SHA256

23715a39b7bf75785f3bc0521cfab6e427cb396486b0a1cedd4c9022abab1f3c
SHA512

06f3f3258cc6b026a27b56420c5e2d2f7e76a57bfe69aefdea27738291f8aecdef607492ddd4ec859027ed8a2e88bac057358abfb9a26a2a81db8f0707b16f0e
SSDEEP

12288:PlLTBqYuWFcov/H1VQLUXmORdju4RERZMH0c:PlL1qYuWWWoammdjbSPc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4028	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	setup.exe
2984	setup.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2984	4028	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	83
PID 4028 wrote to memory of 2984	4028	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	83
PID 4028 wrote to memory of 2984	4028	852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe	83
PID 2984 wrote to memory of 4704	2984	setup.exe	100
PID 2984 wrote to memory of 4704	2984	setup.exe	100
PID 2984 wrote to memory of 4704	2984	setup.exe	100
PID 2984 wrote to memory of 4108	2984	setup.exe	103
PID 2984 wrote to memory of 4108	2984	setup.exe	103
PID 2984 wrote to memory of 4108	2984	setup.exe	103
PID 4108 wrote to memory of 3700	4108	cmd.exe	105
PID 4108 wrote to memory of 3700	4108	cmd.exe	105
PID 4108 wrote to memory of 3700	4108	cmd.exe	105
PID 2984 wrote to memory of 4312	2984	setup.exe	106
PID 2984 wrote to memory of 4312	2984	setup.exe	106
PID 2984 wrote to memory of 4312	2984	setup.exe	106
PID 4312 wrote to memory of 4840	4312	cmd.exe	108
PID 4312 wrote to memory of 4840	4312	cmd.exe	108
PID 4312 wrote to memory of 4840	4312	cmd.exe	108
PID 2984 wrote to memory of 4896	2984	setup.exe	110
PID 2984 wrote to memory of 4896	2984	setup.exe	110
PID 2984 wrote to memory of 4896	2984	setup.exe	110
PID 4896 wrote to memory of 2208	4896	cmd.exe	112
PID 4896 wrote to memory of 2208	4896	cmd.exe	112
PID 4896 wrote to memory of 2208	4896	cmd.exe	112
PID 2984 wrote to memory of 2936	2984	setup.exe	113
PID 2984 wrote to memory of 2936	2984	setup.exe	113
PID 2984 wrote to memory of 2936	2984	setup.exe	113
PID 2936 wrote to memory of 3876	2936	cmd.exe	115
PID 2936 wrote to memory of 3876	2936	cmd.exe	115
PID 2936 wrote to memory of 3876	2936	cmd.exe	115
PID 2984 wrote to memory of 4672	2984	setup.exe	116
PID 2984 wrote to memory of 4672	2984	setup.exe	116
PID 2984 wrote to memory of 4672	2984	setup.exe	116
PID 4672 wrote to memory of 3568	4672	cmd.exe	118
PID 4672 wrote to memory of 3568	4672	cmd.exe	118
PID 4672 wrote to memory of 3568	4672	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852ca9b65bd1aef967f8513890f00a24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\nst43D1.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nst43D1.tmp\setup.exe" /S
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=4028 get Commandline
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=4028 get Commandline
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=3500 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=3500 get Commandline
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=3476 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=3476 get Commandline
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=4028 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=4028 get Commandline
      4⤵
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=3500 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=3500 get Commandline
      4⤵
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c WMIC path win32_process WHERE Processid=3476 get Commandline
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC path win32_process WHERE Processid=3476 get Commandline
      4⤵
      PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst43D1.tmp\D1958.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst43D1.tmp\setup.exe

Filesize
529KB

MD5
3de775d4bc8dca7b407a6a077dee2d5f

SHA1
f4de188f7b52e68cb5f47fe542ad195d242c5bdd

SHA256
b70c82103d2cc7d72747846bde741f1810e0daf6f618ebf265dd02ebbf54d9e7

SHA512
7324d58f78a710ff5c35831b78ed106c8a4a8598f3dfb19271aa1f3232397529b4f077d042c5d5a0e513a89a34c2c4839eb6c652df654e66399c82003a6b7494

Download Submit