Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/jlgnicp.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/jlgnicp.dll
Resource
win10v2004-20240508-en
General
-
Target
a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe
-
Size
799KB
-
MD5
a29db000d369dbeb5aa2e143882993ce
-
SHA1
eb4cafafabb2af6fecec85a9f05f0ae98b039fa9
-
SHA256
22dd11051717368d251aded04484555984ae15f55f4517235853863893724fea
-
SHA512
07c61b9901d1e9e9e7f465b8e7e0dc5e434561317ef985effb2e924d8c03974139720cfb5fc0b5bcc242874df1d35efd6b24049a05ed39cfe783fa40a0d4cbdf
-
SSDEEP
24576:mRXiv3lgldD17SxlI4RBIkvYELI5jh+86/:KXiv36ldDVSxBRSkvLIFB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2668 beddihciif.exe -
Loads dropped DLL 11 IoCs
pid Process 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1872 2668 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe Token: SeSystemProfilePrivilege 2628 wmic.exe Token: SeSystemtimePrivilege 2628 wmic.exe Token: SeProfSingleProcessPrivilege 2628 wmic.exe Token: SeIncBasePriorityPrivilege 2628 wmic.exe Token: SeCreatePagefilePrivilege 2628 wmic.exe Token: SeBackupPrivilege 2628 wmic.exe Token: SeRestorePrivilege 2628 wmic.exe Token: SeShutdownPrivilege 2628 wmic.exe Token: SeDebugPrivilege 2628 wmic.exe Token: SeSystemEnvironmentPrivilege 2628 wmic.exe Token: SeRemoteShutdownPrivilege 2628 wmic.exe Token: SeUndockPrivilege 2628 wmic.exe Token: SeManageVolumePrivilege 2628 wmic.exe Token: 33 2628 wmic.exe Token: 34 2628 wmic.exe Token: 35 2628 wmic.exe Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe Token: SeSystemProfilePrivilege 2628 wmic.exe Token: SeSystemtimePrivilege 2628 wmic.exe Token: SeProfSingleProcessPrivilege 2628 wmic.exe Token: SeIncBasePriorityPrivilege 2628 wmic.exe Token: SeCreatePagefilePrivilege 2628 wmic.exe Token: SeBackupPrivilege 2628 wmic.exe Token: SeRestorePrivilege 2628 wmic.exe Token: SeShutdownPrivilege 2628 wmic.exe Token: SeDebugPrivilege 2628 wmic.exe Token: SeSystemEnvironmentPrivilege 2628 wmic.exe Token: SeRemoteShutdownPrivilege 2628 wmic.exe Token: SeUndockPrivilege 2628 wmic.exe Token: SeManageVolumePrivilege 2628 wmic.exe Token: 33 2628 wmic.exe Token: 34 2628 wmic.exe Token: 35 2628 wmic.exe Token: SeIncreaseQuotaPrivilege 2516 wmic.exe Token: SeSecurityPrivilege 2516 wmic.exe Token: SeTakeOwnershipPrivilege 2516 wmic.exe Token: SeLoadDriverPrivilege 2516 wmic.exe Token: SeSystemProfilePrivilege 2516 wmic.exe Token: SeSystemtimePrivilege 2516 wmic.exe Token: SeProfSingleProcessPrivilege 2516 wmic.exe Token: SeIncBasePriorityPrivilege 2516 wmic.exe Token: SeCreatePagefilePrivilege 2516 wmic.exe Token: SeBackupPrivilege 2516 wmic.exe Token: SeRestorePrivilege 2516 wmic.exe Token: SeShutdownPrivilege 2516 wmic.exe Token: SeDebugPrivilege 2516 wmic.exe Token: SeSystemEnvironmentPrivilege 2516 wmic.exe Token: SeRemoteShutdownPrivilege 2516 wmic.exe Token: SeUndockPrivilege 2516 wmic.exe Token: SeManageVolumePrivilege 2516 wmic.exe Token: 33 2516 wmic.exe Token: 34 2516 wmic.exe Token: 35 2516 wmic.exe Token: SeIncreaseQuotaPrivilege 2484 wmic.exe Token: SeSecurityPrivilege 2484 wmic.exe Token: SeTakeOwnershipPrivilege 2484 wmic.exe Token: SeLoadDriverPrivilege 2484 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2668 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 28 PID 1760 wrote to memory of 2668 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 28 PID 1760 wrote to memory of 2668 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 28 PID 1760 wrote to memory of 2668 1760 a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe 28 PID 2668 wrote to memory of 2628 2668 beddihciif.exe 29 PID 2668 wrote to memory of 2628 2668 beddihciif.exe 29 PID 2668 wrote to memory of 2628 2668 beddihciif.exe 29 PID 2668 wrote to memory of 2628 2668 beddihciif.exe 29 PID 2668 wrote to memory of 2516 2668 beddihciif.exe 32 PID 2668 wrote to memory of 2516 2668 beddihciif.exe 32 PID 2668 wrote to memory of 2516 2668 beddihciif.exe 32 PID 2668 wrote to memory of 2516 2668 beddihciif.exe 32 PID 2668 wrote to memory of 2484 2668 beddihciif.exe 34 PID 2668 wrote to memory of 2484 2668 beddihciif.exe 34 PID 2668 wrote to memory of 2484 2668 beddihciif.exe 34 PID 2668 wrote to memory of 2484 2668 beddihciif.exe 34 PID 2668 wrote to memory of 2908 2668 beddihciif.exe 36 PID 2668 wrote to memory of 2908 2668 beddihciif.exe 36 PID 2668 wrote to memory of 2908 2668 beddihciif.exe 36 PID 2668 wrote to memory of 2908 2668 beddihciif.exe 36 PID 2668 wrote to memory of 2192 2668 beddihciif.exe 38 PID 2668 wrote to memory of 2192 2668 beddihciif.exe 38 PID 2668 wrote to memory of 2192 2668 beddihciif.exe 38 PID 2668 wrote to memory of 2192 2668 beddihciif.exe 38 PID 2668 wrote to memory of 1872 2668 beddihciif.exe 40 PID 2668 wrote to memory of 1872 2668 beddihciif.exe 40 PID 2668 wrote to memory of 1872 2668 beddihciif.exe 40 PID 2668 wrote to memory of 1872 2668 beddihciif.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a29db000d369dbeb5aa2e143882993ce_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\beddihciif.exeC:\Users\Admin\AppData\Local\Temp\beddihciif.exe 4|8|9|0|4|4|2|8|4|9|9 K0hARDkuNi0cJkpROkdJQDkuGCtFPFBPRlJHRUI1LRcmQEFKVEVAOyoxKS4uGCZDRUA7KBwmR05HO1U/UF1BQDQpMCwqMxwrUT1OTTxOV0xSSDlmbHBnMSsnanJyKkI9T0IkUEdHLT1MTiZFRT1LGCZDSEVBQ0U7NDIqJzcxNGQsMTBbMSxaYzNdZDBfKyg0WS8xYjA1XS9aFys8KD0pLR4nQCk0KSkXL0AvOyUtFyZALDQtLRwtPDE0JC0YJlBOS0JNP0tWTEpAVj0/VzUcJkdORztVP1BdPVFDODkYJlBOS0JNP0tWSjlERTlGX25dFyZBUDxfUU5KNWRra2wyJi9pbGFcaiklX2dkL2ZuYyU0bCkxJW5pamBtb28kYDEwLS5hdGMYKzxPQVc6TUBIR0ZBNBcrQEZTUFtASktOSkFKNDIcK1JAPUVCVUdMX1FOSjUcJk1JNSkgK0BRKTkuJ11ZWmIxLy4qNTArLCoqOCwyNykyW1wxXC8wMCw2LRwmSVFGS0lJQV1PQUM6S0U8SUk9RT1RSUM5GCZJT1tQTUpLQEk9NHRucWMYK0k8UE1JTkVKRVdRSjxOVztBVU87KhwmP0U8PFg5LR4nRUpWQFFFQUlFQVdBRTpOUUdUQUA7Xl1jamEYJkRLU0xESzg7W0FHPTMtLDExJSgsKyU1LxwtTEVEPDkpKzMvNDUxNC4tHCc7T1NKSkc9O1ZQQURFOTItMSspJy0tITc2MTUyMS0hTEU=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version3⤵PID:2908
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718229985.txt bios get version3⤵PID:2192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:1872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
1.2MB
MD510c09604075a45b7aacc215a0d0ab233
SHA165157cc533a028ccb8f1cf7347be87f0c3ea390e
SHA256c8b38600b75c0114cbfef0703defbad05098478a4f6516b2df2e192325b5159f
SHA51274d1433ea57374991e773b0af28c4cefab4bd2779a1795ddab82d739c7735e6b502f007217c01e45398941fb5d682570d898f83645d8fc1e1f3fc1ad51f84d5f
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
158KB
MD5e53b14dc2e26f3b7d9ec2de0d7126ee1
SHA11ff5155d80766e347b37665c91de23eabdc19f84
SHA2562f68a93e8dfc8ef12a7aee5307fb33c37e2409b01ee47a011ec9687900d6db80
SHA512ccd4ce1decb86fc7789a6f61ae9a17439645912c3fa996c924668c464348a6d30bf5c33005ca176700f43b025691e4a0957d0edbcb66622fd304a37bc10bdc47