Analysis

  • max time kernel
    143s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:40

General

  • Target

    906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe

  • Size

    13.0MB

  • MD5

    906c4effd6a20be22ea026a43a3cb7b3

  • SHA1

    89df6ca0d893d9355741d8ca11cdebea1fbbb095

  • SHA256

    08e5e7e5f30801b363f08a6106425faa1c505bd048a18c846a5b3e5959a4998e

  • SHA512

    fa866adaa965c98e809a3efc57550c5c9464668f619922e9b769550fc58623b3815cfbbf1473877e551a7f0d9a6634a7b02157eb2b8e1156ca2c892c32063c2e

  • SSDEEP

    393216:TjnUwmatWZ+mgSbBXxKqLupZr6KbkeJO2:TjnJmapSDsu7eN

Score
9/10

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit.exe > "C:\Users\Admin\AppData\Local\Temp\usb701F.tmp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe
        3⤵
          PID:5056
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe /set testsigning on
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2428
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi" REBOOTNEEDED=1
        2⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2012
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 78428D6170137DDC6D9DEB76952F1A08 C
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5E24028-63DD-4538-AC84-405A441BD2CF}
          3⤵
          • Executes dropped EXE
          PID:2320
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22B7427C-3724-4BE4-86D0-4629E6D608AD}
          3⤵
          • Executes dropped EXE
          PID:404
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8AB096F5-7B49-4A2B-9309-9F8010AD85E6}
          3⤵
          • Executes dropped EXE
          PID:2720
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F30B0C79-7504-48E2-A24A-3CA7E6214F7F}
          3⤵
          • Executes dropped EXE
          PID:3396
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{124B2B01-0167-4B24-8660-7D723B7F9F85}
          3⤵
          • Executes dropped EXE
          PID:3624
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7CD3E7D-7B34-4873-B857-A23956FD119A}
          3⤵
          • Executes dropped EXE
          PID:868
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07441B02-C815-498C-8450-0152E61B9EE5}
          3⤵
          • Executes dropped EXE
          PID:4172
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63289CF8-3977-4955-A804-F7EC21A16E61}
          3⤵
          • Executes dropped EXE
          PID:1536
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDD58BE7-39F1-42AA-B394-1E0950D20C92}
          3⤵
          • Executes dropped EXE
          PID:5084
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAD35A6F-AC18-48C1-98DE-B12E44543347}
          3⤵
          • Executes dropped EXE
          PID:5092
        • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
          C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AFFED01-E21B-4DC3-AA33-4D5F437A5AED}
          3⤵
          • Executes dropped EXE
          PID:3424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSI7649.tmp

      Filesize

      1.3MB

      MD5

      7a2798d06f6ff4bb08381e75e1202277

      SHA1

      123875bd02231d8e06d234e400f64ebb6ce622f2

      SHA256

      c73541a041134a4e9d7e9e5f68aef83fa3f6caad9e9b44b7cba52cd5441a38de

      SHA512

      16784c47c85b5c446422d6c17c933fbe1bd0b4f02bf43d487b404180c2b53567e587c527b5c4b23c4af96780499e01e5871fb67ccbf83d5ed90df433f15a120a

    • C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

      Filesize

      11.6MB

      MD5

      2c35cb1d6bc7e9e2c1fd18e401de3a02

      SHA1

      cfba57b4d521dc1d9bd5f226ab954f7ec8da3108

      SHA256

      ec29ea59edf79119f5cb06fc7e742cd191652e2afebb223d94a98b38dc7c3c5b

      SHA512

      fe2ee417f6bd8687116297c4c09872aa8d5c9e1cb048fe792befc494dddc0f2a100f21680b210fcace2b0562055ce9443091e409e74e1136c8b2c9643c0ed2b5

    • C:\Users\Admin\AppData\Local\Temp\usb701F.tmp

      Filesize

      1KB

      MD5

      40323f90d4b6fadfa1652b951b17a43b

      SHA1

      6f2a7849eddee6a26439efded23228ec9c557ebf

      SHA256

      0b82c6f01bf8c62768d48e5c52adb69131df0225b12563e974854139472fd457

      SHA512

      c81044cda91d40a4f2d340902cf7e4bbb8eee943b92eed10e60a7b4aee3d3f2091ef8b48de5e2e80d9d5c2c914cf02a482d4885241ff000f27c4da2aee4bf8f8

    • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe

      Filesize

      146KB

      MD5

      c3b2acc07bb0610405fc786e3432bef9

      SHA1

      333d5f2b55bd00ad4311ba104af7db984f953924

      SHA256

      9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

      SHA512

      2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

    • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISRT.dll

      Filesize

      260KB

      MD5

      a93f625ef42b54c2b0f4d38201e67606

      SHA1

      cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

      SHA256

      e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

      SHA512

      805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

    • C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\_isres_0x0409.dll

      Filesize

      540KB

      MD5

      d6bbf7ff6984213c7f1f0f8f07c51e6a

      SHA1

      cfe933fc3b634f7333adec7ec124c14e9d19ac21

      SHA256

      6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

      SHA512

      a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

    • memory/2020-8-0x0000000010000000-0x00000000101B5000-memory.dmp

      Filesize

      1.7MB

    • memory/2020-35-0x0000000003090000-0x0000000003119000-memory.dmp

      Filesize

      548KB

    • memory/2020-33-0x0000000002F20000-0x0000000002FC7000-memory.dmp

      Filesize

      668KB

    • memory/2020-47-0x0000000002F20000-0x0000000002FC7000-memory.dmp

      Filesize

      668KB

    • memory/2020-46-0x0000000010000000-0x00000000101B5000-memory.dmp

      Filesize

      1.7MB