Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 22:06

General

  • Target

    a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe

  • Size

    799KB

  • MD5

    a29db000d369dbeb5aa2e143882993ce

  • SHA1

    eb4cafafabb2af6fecec85a9f05f0ae98b039fa9

  • SHA256

    22dd11051717368d251aded04484555984ae15f55f4517235853863893724fea

  • SHA512

    07c61b9901d1e9e9e7f465b8e7e0dc5e434561317ef985effb2e924d8c03974139720cfb5fc0b5bcc242874df1d35efd6b24049a05ed39cfe783fa40a0d4cbdf

  • SSDEEP

    24576:mRXiv3lgldD17SxlI4RBIkvYELI5jh+86/:KXiv36ldDVSxBRSkvLIFB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\beddihciif.exe
      C:\Users\Admin\AppData\Local\Temp\beddihciif.exe 4|8|9|0|4|4|2|8|4|9|9 K0hARDkuNi0cJkpROkdJQDkuGCtFPFBPRlJHRUI1LRcmQEFKVEVAOyoxKS4uGCZDRUA7KBwmR05HO1U/UF1BQDQpMCwqMxwrUT1OTTxOV0xSSDlmbHBnMSsnanJyKkI9T0IkUEdHLT1MTiZFRT1LGCZDSEVBQ0U7NDIqJzcxNGQsMTBbMSxaYzNdZDBfKyg0WS8xYjA1XS9aFys8KD0pLR4nQCk0KSkXL0AvOyUtFyZALDQtLRwtPDE0JC0YJlBOS0JNP0tWTEpAVj0/VzUcJkdORztVP1BdPVFDODkYJlBOS0JNP0tWSjlERTlGX25dFyZBUDxfUU5KNWRra2wyJi9pbGFcaiklX2dkL2ZuYyU0bCkxJW5pamBtb28kYDEwLS5hdGMYKzxPQVc6TUBIR0ZBNBcrQEZTUFtASktOSkFKNDIcK1JAPUVCVUdMX1FOSjUcJk1JNSkgK0BRKTkuJ11ZWmIxLy4qNTArLCoqOCwyNykyW1wxXC8wMCw2LRwmSVFGS0lJQV1PQUM6S0U8SUk9RT1RSUM5GCZJT1tQTUpLQEk9NHRucWMYK0k8UE1JTkVKRVdRSjxOVztBVU87KhwmP0U8PFg5LR4nRUpWQFFFQUlFQVdBRTpOUUdUQUA7Xl1jamEYJkRLU0xESzg7W0FHPTMtLDExJSgsKyU1LxwtTEVEPDkpKzMvNDUxNC4tHCc7T1NKSkc9O1ZQQURFOTItMSspJy0tITc2MTUyMS0hTEU=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version
        3⤵
          PID:2908
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version
          3⤵
            PID:2192
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 368
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81718229985.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • \Users\Admin\AppData\Local\Temp\beddihciif.exe

        Filesize

        1.2MB

        MD5

        10c09604075a45b7aacc215a0d0ab233

        SHA1

        65157cc533a028ccb8f1cf7347be87f0c3ea390e

        SHA256

        c8b38600b75c0114cbfef0703defbad05098478a4f6516b2df2e192325b5159f

        SHA512

        74d1433ea57374991e773b0af28c4cefab4bd2779a1795ddab82d739c7735e6b502f007217c01e45398941fb5d682570d898f83645d8fc1e1f3fc1ad51f84d5f

      • \Users\Admin\AppData\Local\Temp\nsi1BCB.tmp\ZipDLL.dll

        Filesize

        163KB

        MD5

        2dc35ddcabcb2b24919b9afae4ec3091

        SHA1

        9eeed33c3abc656353a7ebd1c66af38cccadd939

        SHA256

        6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

        SHA512

        0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

      • \Users\Admin\AppData\Local\Temp\nsi1BCB.tmp\jlgnicp.dll

        Filesize

        158KB

        MD5

        e53b14dc2e26f3b7d9ec2de0d7126ee1

        SHA1

        1ff5155d80766e347b37665c91de23eabdc19f84

        SHA256

        2f68a93e8dfc8ef12a7aee5307fb33c37e2409b01ee47a011ec9687900d6db80

        SHA512

        ccd4ce1decb86fc7789a6f61ae9a17439645912c3fa996c924668c464348a6d30bf5c33005ca176700f43b025691e4a0957d0edbcb66622fd304a37bc10bdc47