Malware Analysis Report

2025-04-14 01:05

Sample ID 240603-krg2kaag48
Target 912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118
SHA256 3d4536f88e703a14150bc034031f93c3f8ee1fda6edc912087dccc110b58006c
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3d4536f88e703a14150bc034031f93c3f8ee1fda6edc912087dccc110b58006c

Threat Level: Shows suspicious behavior

The file 912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe

Processes

C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC bios Get Version /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC csproduct Get Name /FORMAT:textvaluelist.xsl

C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe

7za.exe e -y -p"c37c80ac0ba8d57e2d5c29cf5479a5ce" [RANDOM_STRING].7z

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy2242.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\7za.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\[RANDOM_STRING].7z

MD5 5785086412a3047bceb1d765148fec69
SHA1 f2dda8deb03aebb39d1c75cc56d2ac1cb3080748
SHA256 1deaabe60e67bac0dac59330f1737f1fe88244dd2cf92b5f0e2b6022d1f1f3d9
SHA512 f9a579d10ddf89c32a7cca23d3fde2c1b3b6cd2af6607488a98fb729c709b04c371903cd9c4484a18ff5881b665dfb3494f146910d265a2444b4973b2976f6ac

C:\Users\Admin\AppData\Local\Temp\nsy2242.tmp\install56179.exe

MD5 10bd2af1b07ec6bc9cd17ba512569e59
SHA1 807e17ab1b98177e135d30941b45081960d1e866
SHA256 9c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c
SHA512 deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\7za.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 920 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe
PID 920 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe
PID 920 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe

Processes

C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\912dcb7830f060c55e11b8f3da9aab63_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC bios Get Version /FORMAT:textvaluelist.xsl

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC csproduct Get Name /FORMAT:textvaluelist.xsl

C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe

7za.exe e -y -p"c37c80ac0ba8d57e2d5c29cf5479a5ce" [RANDOM_STRING].7z

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\7za.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\[RANDOM_STRING].7z

MD5 5785086412a3047bceb1d765148fec69
SHA1 f2dda8deb03aebb39d1c75cc56d2ac1cb3080748
SHA256 1deaabe60e67bac0dac59330f1737f1fe88244dd2cf92b5f0e2b6022d1f1f3d9
SHA512 f9a579d10ddf89c32a7cca23d3fde2c1b3b6cd2af6607488a98fb729c709b04c371903cd9c4484a18ff5881b665dfb3494f146910d265a2444b4973b2976f6ac

C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\install56179.exe

MD5 10bd2af1b07ec6bc9cd17ba512569e59
SHA1 807e17ab1b98177e135d30941b45081960d1e866
SHA256 9c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c
SHA512 deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win10v2004-20240426-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\[RANDOM_STRING].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-03 08:49

Reported

2024-06-03 08:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A