b1c086728237f60b8fc6b97c8fcace59659aeb1424d8ad71e1bf797555f96828

Analysis

max time kernel
0s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe
Size

582KB
MD5

99a0b14c0a219367262cc6c78e66382b
SHA1

6e78fe1a7a133fb962cbfd3eac17a3fce00b6522
SHA256

b1c086728237f60b8fc6b97c8fcace59659aeb1424d8ad71e1bf797555f96828
SHA512

18786c5ca0721667f7f2522b4fd4f24483ed8fe63ca9790d60b28b878593b9d78bd1794ade039ba729302ec59a2e3b6f389b2f411de2d4bd38f5b3c3cee23d75
SSDEEP

12288:sWPkKiRhWkblntMXhnW8jxrBEdQTBN56rds:sfdhWkbV6BW8RKdQK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	bbhcabfcebdh.exe

Loads dropped DLL 3 IoCs

pid	Process
2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe
2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe
2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2016	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe
Token: SeDebugPrivilege	1660	wmic.exe
Token: SeSystemEnvironmentPrivilege	1660	wmic.exe
Token: SeRemoteShutdownPrivilege	1660	wmic.exe
Token: SeUndockPrivilege	1660	wmic.exe
Token: SeManageVolumePrivilege	1660	wmic.exe
Token: 33	1660	wmic.exe
Token: 34	1660	wmic.exe
Token: 35	1660	wmic.exe
Token: SeIncreaseQuotaPrivilege	1660	wmic.exe
Token: SeSecurityPrivilege	1660	wmic.exe
Token: SeTakeOwnershipPrivilege	1660	wmic.exe
Token: SeLoadDriverPrivilege	1660	wmic.exe
Token: SeSystemProfilePrivilege	1660	wmic.exe
Token: SeSystemtimePrivilege	1660	wmic.exe
Token: SeProfSingleProcessPrivilege	1660	wmic.exe
Token: SeIncBasePriorityPrivilege	1660	wmic.exe
Token: SeCreatePagefilePrivilege	1660	wmic.exe
Token: SeBackupPrivilege	1660	wmic.exe
Token: SeRestorePrivilege	1660	wmic.exe
Token: SeShutdownPrivilege	1660	wmic.exe
Token: SeDebugPrivilege	1660	wmic.exe
Token: SeSystemEnvironmentPrivilege	1660	wmic.exe
Token: SeRemoteShutdownPrivilege	1660	wmic.exe
Token: SeUndockPrivilege	1660	wmic.exe
Token: SeManageVolumePrivilege	1660	wmic.exe
Token: 33	1660	wmic.exe
Token: 34	1660	wmic.exe
Token: 35	1660	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2016	2040	99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe	28
PID 2016 wrote to memory of 1660	2016	bbhcabfcebdh.exe	29
PID 2016 wrote to memory of 1660	2016	bbhcabfcebdh.exe	29
PID 2016 wrote to memory of 1660	2016	bbhcabfcebdh.exe	29
PID 2016 wrote to memory of 1660	2016	bbhcabfcebdh.exe	29
PID 2016 wrote to memory of 2708	2016	bbhcabfcebdh.exe	32
PID 2016 wrote to memory of 2708	2016	bbhcabfcebdh.exe	32
PID 2016 wrote to memory of 2708	2016	bbhcabfcebdh.exe	32
PID 2016 wrote to memory of 2708	2016	bbhcabfcebdh.exe	32
PID 2016 wrote to memory of 2244	2016	bbhcabfcebdh.exe	34
PID 2016 wrote to memory of 2244	2016	bbhcabfcebdh.exe	34
PID 2016 wrote to memory of 2244	2016	bbhcabfcebdh.exe	34
PID 2016 wrote to memory of 2244	2016	bbhcabfcebdh.exe	34

C:\Users\Admin\AppData\Local\Temp\99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99a0b14c0a219367262cc6c78e66382b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\bbhcabfcebdh.exe
  C:\Users\Admin\AppData\Local\Temp\bbhcabfcebdh.exe 9-6-0-9-4-6-7-9-4-8-0 JkpJOzkrMigwKSAmTVU5TEM9NCwYL0U/VE5LTERAQDUwFylEQE9OQjs5KCAmPUk7OSoZJkxKTztPQ0tbQz00LBgvSj9STUFMWExORD1fbnRnNikoamFqdiVuaFwpW2lnKVxha1suYGpgaBcrO0xAPUtAQDcZJkApPSQrICZALDYkLRgvOy09JC0aKDswNS0oGi87MTcmKBwnUElJREw/TlhHTkFWOD1ZNBwpSUlLPFU6Tl88UUY6NBwnUElJREw/TlhFPUVFNBovPFQ/WExORD0XKUVPQVk8REBESUU/PRcrQkhKUFdCSUlXSkFMNiwcJ1Q/O05CVUlOVlFKTDQaL01JNysXKzxTKDcgJk5PR0tFRUVWUUVDP0lGPEVFQT4/VUlINxkmRUtfSU9OS0VHPjRwanVcGi9JQU5OSUpBTj5ZVUpBTFg7PVFTNCwgJkRDPTxUNTEXKUlKWz5SRT1FSTpZRUU/TFJHUD1ENGBhY29fGSZAR1dFRk84QFlCRzkqMC8oMSgsKDIqKikyKRovS0VHPjQtLDIoLzMpLTErFys8T05ITEY9PlhLRUVFNCsvKDMpKyctLSooKjonLjQuKSZITQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717635110.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717635110.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717635110.txt bios get version
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717635110.txt bios get version
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81717635110.txt bios get version
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 368
    3⤵
    - Program crash
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81717635110.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbhcabfcebdh.exe

Filesize
826KB

MD5
018b17038bba575b38af0426d72af061

SHA1
c0c3f343ac17dadb054fa57ed311d4b0be57f353

SHA256
7a7e51f8daa512891f6bc2811d8e5ee07a655acf64cbc1fc9d0b44f8c4784d5e

SHA512
c9527aa47051635431dbae500b431abd3c0968abbff9e422cb09eedff8bc39059f177a5e46f228afbf96da3d242da630a438e7a8f3f33c421ab5a71826924753

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd19D8.tmp\you.dll

Filesize
121KB

MD5
591df37b3c00d9596dd1bc5cc75c9487

SHA1
3f26ba2e9557cacecfa4a40843028de7684bf9f9

SHA256
58bc550789f17246a712a481b3f8b423fad7f56f552f4928cdb18806931d8b1b

SHA512
88e429bde9ce0ef2fdd5a8e9a65ce3a71e1e8e689d5296968398a278d35358075cb727f1f699a24d00cf91f4217f752d422dc90154179650ffa9c52bda98b0f2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd19D8.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit