24c71c882f17b7f8564f248187dfa21aba0d216ec8202107bf68ed42b68d3217

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
Size

774KB
MD5

95166c628b814f45445e7182da56cbf6
SHA1

c64ca4996e746c7a11fec203dee76d64d287e36d
SHA256

24c71c882f17b7f8564f248187dfa21aba0d216ec8202107bf68ed42b68d3217
SHA512

a812bb0f686be66f7bc115ca8e7379c59724b555b7784cf45a08c7a514603fd08b953312527678844567d702af87a2c944b10ee34ecf84326d3a0ce5813834be
SSDEEP

12288:AXb6xPTpJUxVpxYWsqxaPbCJhaWkZWU+9rhNzw8SS4j+g0QtyFWFDfc8vy4h7:Y65pWLsAaPkungNSDy0Fw86+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2528	bedeiabgid.exe

Loads dropped DLL 11 IoCs

pid	Process
1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	2528	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe
Token: SeSecurityPrivilege	2732	wmic.exe
Token: SeTakeOwnershipPrivilege	2732	wmic.exe
Token: SeLoadDriverPrivilege	2732	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2528	1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2528	1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2528	1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2528	1284	95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe	28
PID 2528 wrote to memory of 2728	2528	bedeiabgid.exe	29
PID 2528 wrote to memory of 2728	2528	bedeiabgid.exe	29
PID 2528 wrote to memory of 2728	2528	bedeiabgid.exe	29
PID 2528 wrote to memory of 2728	2528	bedeiabgid.exe	29
PID 2528 wrote to memory of 2452	2528	bedeiabgid.exe	32
PID 2528 wrote to memory of 2452	2528	bedeiabgid.exe	32
PID 2528 wrote to memory of 2452	2528	bedeiabgid.exe	32
PID 2528 wrote to memory of 2452	2528	bedeiabgid.exe	32
PID 2528 wrote to memory of 2732	2528	bedeiabgid.exe	34
PID 2528 wrote to memory of 2732	2528	bedeiabgid.exe	34
PID 2528 wrote to memory of 2732	2528	bedeiabgid.exe	34
PID 2528 wrote to memory of 2732	2528	bedeiabgid.exe	34
PID 2528 wrote to memory of 2476	2528	bedeiabgid.exe	36
PID 2528 wrote to memory of 2476	2528	bedeiabgid.exe	36
PID 2528 wrote to memory of 2476	2528	bedeiabgid.exe	36
PID 2528 wrote to memory of 2476	2528	bedeiabgid.exe	36
PID 2528 wrote to memory of 2860	2528	bedeiabgid.exe	38
PID 2528 wrote to memory of 2860	2528	bedeiabgid.exe	38
PID 2528 wrote to memory of 2860	2528	bedeiabgid.exe	38
PID 2528 wrote to memory of 2860	2528	bedeiabgid.exe	38
PID 2528 wrote to memory of 572	2528	bedeiabgid.exe	40
PID 2528 wrote to memory of 572	2528	bedeiabgid.exe	40
PID 2528 wrote to memory of 572	2528	bedeiabgid.exe	40
PID 2528 wrote to memory of 572	2528	bedeiabgid.exe	40

C:\Users\Admin\AppData\Local\Temp\95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95166c628b814f45445e7182da56cbf6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\bedeiabgid.exe
  C:\Users\Admin\AppData\Local\Temp\bedeiabgid.exe 5*6*5*6*8*8*4*2*9*6*2 KkpEPjUuLzYXKVFQPEtDPDUsHiZIQ09RSkxDQUA7KBotP0NOTkE8OTMrLh4qPUQ+NSgcLUdMTT9PPk5XQUA7KzAvGylOP0pOQVBWT1BHN2NubGg2LSZtcHEoPz9LQylSRkorPEpLKEFGQk0XKUFHQz5FQTw5HiY+LzguKzMqKi02FylCLTcsLi8oHC07LTsoKxspPCw5KygaLT8vOCcpGCtOSUlCUD1PWUhKRVQ4PVc4GipKSkdAUzpOXUBPRzs1GCtOSUlCUD1PWUY5SUM0O2JqXGAfKihOY1heY20fLSopKSouJSsuKV9zXxgnQVY8WVNNRjgaJz1UQ1Y9Sz9GREg9NRwtP0lRT1k9TEdPT0NJNy4bKU9COUZHV0ZPXVBMRzcYJ1JLNCweKj5OKzUYK1BMSFJER0BZTz1IQUZHQ0RHPEE9TU5KNBotRE1aTE1GUEdEPztvbHBfGCdOQ0tPUElDSUFXTU9DSVlCPFNONyoYK0ZAPkNTNywaJ0FPXTtTTDxHRD1XPUpBSVNOTz8/N15ZaHFcGi0/SVJIREc9QlZDTjgyMCgpLC8sKDA1KSs0GidMRUs8Ny8vLS8yKCwxMC8aLT9JUkhERz1CVk5HSD84MCcqLC0pKi8wJCwsMiw0OCsyKEtH
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717509394.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717509394.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717509394.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717509394.txt bios get version
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717509394.txt bios get version
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81717509394.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\bedeiabgid.exe

Filesize
1.2MB

MD5
93e865c7deb4eff8060b58e513dc51b8

SHA1
0ed5e55b2a169501ff8d1198a2fe1de12235bcbe

SHA256
5e0226033adc0a6923783f4361ffea3e549cb7530a61944420a493da3163bd21

SHA512
22f40c311709e91893e8e8a0829f434c0f36a72b362028094cd6573432b4584b70a00351b059addd7be01e05571de5bbc7d0b3c3505d0c236aaada36011b56d3

Download Submit
\Users\Admin\AppData\Local\Temp\nst8660.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst8660.tmp\pndoaei.dll

Filesize
169KB

MD5
0cfdfa96c59f3b1fd57b330b3fca90f1

SHA1
a611a4e7a61512a3154a3b7e2710261d50c5d59c

SHA256
5a790862db0fd7430c18866ddc6c7e2eb9531579e3bf59d85acde167ed6af95f

SHA512
88de60b5e25fe6403ed39e16df166b15b4058752f5a4cd6fb51cae648f402bbe89367018fd8f96e31f66a54a2abbd27ce5f0700fce33404f4b6b4cc1f9b9db82

Download Submit