Malware Analysis Report

2025-04-14 00:32

Sample ID 240601-w2ws9aah9x
Target 8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118
SHA256 14554462996a0201b043295fd0097af6b2c1e0d94aff6bc93a349a34ce181e2f
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

14554462996a0201b043295fd0097af6b2c1e0d94aff6bc93a349a34ce181e2f

Threat Level: Shows suspicious behavior

The file 8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Executes dropped EXE

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win7-20240508-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 1012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 1012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 1012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\etxtmwc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 1412 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 1412 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 1412 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 2888 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2888 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\WerFault.exe
PID 2888 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\WerFault.exe
PID 2888 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\WerFault.exe
PID 2888 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe 7|8|5|2|1|0|1|2|6|3|6 KEhEQjwxODEwMBooS1BAT0lDOyodKUc9T1VOUkpHPjorHiorbnFvY3NdcWhaZWA7UWVoa1tkXxknP0dSVEhCNy8xMCktHi5DSEI3LRooSE1NQ1VCUllGPjYqMTczMx8tTUJMTz1NXVRSSzticW5pMiotcnJ1LD5CTUQlT01PLUBOSitDRz5KHi5DS0c9SEM9NRstQzE8KysdKT0qOCswIC5CLTonKhgqQjM9LC8aLD4uNSgvHy9PUElBTzxMWk5RSVU/PVY3GSdLUE5EVEFOXD9ORDw7Hy9PUElBTzxMWkxATUQ7Giw/UT1aU1FMPB4pQlI+Vz5LQ0xITD86GihASlFTX0FQSVRNPko4Mx8vU0Y7S0VSR1BdVFJLOxosUEY1LR4uRFIvNx0pS01JUkhNRF1RQkY8R0hDSE1ART9STEU1Gy1IU15QT0tOQkVAO3NydGMaLEw+TFBQTUlNRVlSTT5KWkJAWVI7LB0pQUE/Q1c9MB4pRk1YPFRMQE1IQVlCSDxKVE5TRUM7YF5mbF0bLUNPVkxGTDs9V0ROPDItLy0yKCsrKywwMjceKU07SzlHSkRMXkdIUE46REc7ZWFrcV8dKU1BSEM8MTMxMDUwMiovLh8vQ01RS0ZIOT9dU0lMQzc0KSosKjAvMTQoKy00Kyg1Mi8qQEs=

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266342.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266342.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266342.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266342.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266342.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 372

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp

Files

\Users\Admin\AppData\Local\Temp\nsyABF9.tmp\etxtmwc.dll

MD5 4d3c8a633d0bba7bc5b9010a69303d4d
SHA1 46aab421789437fc7cb681655739aff5d7578d8d
SHA256 034f6c733cc6d45d953b9c0df9c2110defa569873bd2f6f0be61332264174344
SHA512 7e92b5aa8d25809936d61ba22f89215088a3e97ca29cbfd033d0594669a7bd245519e777f7505a8fa83a09db3b31646ea050e22fe16f98a3c7e4c0c8f5d93acf

\Users\Admin\AppData\Local\Temp\nsyABF9.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

MD5 5a81957b711997843031232113059963
SHA1 c08a9fc2a4592f8e8f25dee1f271b869e1a83e47
SHA256 ec474e59c8e22d98df155005782c1f3cdfbd08ba52b7593804f3f101cad6e454
SHA512 6ed304da44a6e64fae26a2a41b633d4dfd2d47ab9f0ac0d2b5db293fe02c9167598610103a58469eb2016bb80a14a90b2b2084145b8a8c2f2802971a0d5a1421

C:\Users\Admin\AppData\Local\Temp\81717266342.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 1532 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 1532 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe
PID 4440 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4440 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b5aee520a6fb8e53a731b1e5509a981_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe 7|8|5|2|1|0|1|2|6|3|6 KEhEQjwxODEwMBooS1BAT0lDOyodKUc9T1VOUkpHPjorHiorbnFvY3NdcWhaZWA7UWVoa1tkXxknP0dSVEhCNy8xMCktHi5DSEI3LRooSE1NQ1VCUllGPjYqMTczMx8tTUJMTz1NXVRSSzticW5pMiotcnJ1LD5CTUQlT01PLUBOSitDRz5KHi5DS0c9SEM9NRstQzE8KysdKT0qOCswIC5CLTonKhgqQjM9LC8aLD4uNSgvHy9PUElBTzxMWk5RSVU/PVY3GSdLUE5EVEFOXD9ORDw7Hy9PUElBTzxMWkxATUQ7Giw/UT1aU1FMPB4pQlI+Vz5LQ0xITD86GihASlFTX0FQSVRNPko4Mx8vU0Y7S0VSR1BdVFJLOxosUEY1LR4uRFIvNx0pS01JUkhNRF1RQkY8R0hDSE1ART9STEU1Gy1IU15QT0tOQkVAO3NydGMaLEw+TFBQTUlNRVlSTT5KWkJAWVI7LB0pQUE/Q1c9MB4pRk1YPFRMQE1IQVlCSDxKVE5TRUM7YF5mbF0bLUNPVkxGTDs9V0ROPDItLy0yKCsrKywwMjceKU07SzlHSkRMXkdIUE46REc7ZWFrcV8dKU1BSEM8MTMxMDUwMiovLh8vQ01RS0ZIOT9dU0lMQzc0KSosKjAvMTQoKy00Kyg1Mi8qQEs=

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266340.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266340.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266340.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266340.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81717266340.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv.desk-top-app.info udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr2626.tmp\etxtmwc.dll

MD5 4d3c8a633d0bba7bc5b9010a69303d4d
SHA1 46aab421789437fc7cb681655739aff5d7578d8d
SHA256 034f6c733cc6d45d953b9c0df9c2110defa569873bd2f6f0be61332264174344
SHA512 7e92b5aa8d25809936d61ba22f89215088a3e97ca29cbfd033d0594669a7bd245519e777f7505a8fa83a09db3b31646ea050e22fe16f98a3c7e4c0c8f5d93acf

C:\Users\Admin\AppData\Local\Temp\nsr2626.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

C:\Users\Admin\AppData\Local\Temp\bedgifdhca.exe

MD5 5a81957b711997843031232113059963
SHA1 c08a9fc2a4592f8e8f25dee1f271b869e1a83e47
SHA256 ec474e59c8e22d98df155005782c1f3cdfbd08ba52b7593804f3f101cad6e454
SHA512 6ed304da44a6e64fae26a2a41b633d4dfd2d47ab9f0ac0d2b5db293fe02c9167598610103a58469eb2016bb80a14a90b2b2084145b8a8c2f2802971a0d5a1421

C:\Users\Admin\AppData\Local\Temp\81717266340.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81717266340.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\81717266340.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win7-20240508-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A