Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/gjqkpms.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/gjqkpms.dll
Resource
win10v2004-20240508-en
General
-
Target
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
-
Size
686KB
-
MD5
a1b4f03ff75c1e5be265328cebea81ea
-
SHA1
c104b2f8f678c14088890263adf487aafd49271b
-
SHA256
209530828f3ef71caf7ac88a9167341cd29fc1db97f2c4b360054b2787d4b3a2
-
SHA512
5ca62ce4ae0165e2e8f31ef4d427d085181ef86606914160d9ed99ae19d0e54c79a81e4cffc07a9332711767a3f4265f1752d23e854cd13dafc95fd4495f8883
-
SSDEEP
12288:KFRyJLpule5fYz7cyINPLrrET6nSNToaN/WSGl+UjgSyKqZsnWvEmfc8vy4hO:Kid5fAwN42nSNToq/WSwWKKCh86l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2596 bedfjbebca.exe -
Loads dropped DLL 11 IoCs
pid Process 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2872 2596 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2308 wmic.exe Token: SeSecurityPrivilege 2308 wmic.exe Token: SeTakeOwnershipPrivilege 2308 wmic.exe Token: SeLoadDriverPrivilege 2308 wmic.exe Token: SeSystemProfilePrivilege 2308 wmic.exe Token: SeSystemtimePrivilege 2308 wmic.exe Token: SeProfSingleProcessPrivilege 2308 wmic.exe Token: SeIncBasePriorityPrivilege 2308 wmic.exe Token: SeCreatePagefilePrivilege 2308 wmic.exe Token: SeBackupPrivilege 2308 wmic.exe Token: SeRestorePrivilege 2308 wmic.exe Token: SeShutdownPrivilege 2308 wmic.exe Token: SeDebugPrivilege 2308 wmic.exe Token: SeSystemEnvironmentPrivilege 2308 wmic.exe Token: SeRemoteShutdownPrivilege 2308 wmic.exe Token: SeUndockPrivilege 2308 wmic.exe Token: SeManageVolumePrivilege 2308 wmic.exe Token: 33 2308 wmic.exe Token: 34 2308 wmic.exe Token: 35 2308 wmic.exe Token: SeIncreaseQuotaPrivilege 2716 wmic.exe Token: SeSecurityPrivilege 2716 wmic.exe Token: SeTakeOwnershipPrivilege 2716 wmic.exe Token: SeLoadDriverPrivilege 2716 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2596 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2596 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2596 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2596 2944 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 28 PID 2596 wrote to memory of 2688 2596 bedfjbebca.exe 29 PID 2596 wrote to memory of 2688 2596 bedfjbebca.exe 29 PID 2596 wrote to memory of 2688 2596 bedfjbebca.exe 29 PID 2596 wrote to memory of 2688 2596 bedfjbebca.exe 29 PID 2596 wrote to memory of 2308 2596 bedfjbebca.exe 32 PID 2596 wrote to memory of 2308 2596 bedfjbebca.exe 32 PID 2596 wrote to memory of 2308 2596 bedfjbebca.exe 32 PID 2596 wrote to memory of 2308 2596 bedfjbebca.exe 32 PID 2596 wrote to memory of 2716 2596 bedfjbebca.exe 34 PID 2596 wrote to memory of 2716 2596 bedfjbebca.exe 34 PID 2596 wrote to memory of 2716 2596 bedfjbebca.exe 34 PID 2596 wrote to memory of 2716 2596 bedfjbebca.exe 34 PID 2596 wrote to memory of 2616 2596 bedfjbebca.exe 36 PID 2596 wrote to memory of 2616 2596 bedfjbebca.exe 36 PID 2596 wrote to memory of 2616 2596 bedfjbebca.exe 36 PID 2596 wrote to memory of 2616 2596 bedfjbebca.exe 36 PID 2596 wrote to memory of 2568 2596 bedfjbebca.exe 38 PID 2596 wrote to memory of 2568 2596 bedfjbebca.exe 38 PID 2596 wrote to memory of 2568 2596 bedfjbebca.exe 38 PID 2596 wrote to memory of 2568 2596 bedfjbebca.exe 38 PID 2596 wrote to memory of 2872 2596 bedfjbebca.exe 40 PID 2596 wrote to memory of 2872 2596 bedfjbebca.exe 40 PID 2596 wrote to memory of 2872 2596 bedfjbebca.exe 40 PID 2596 wrote to memory of 2872 2596 bedfjbebca.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exeC:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe 6\5\5\3\1\1\3\5\8\8\5 KUtEQTwwNi4uKxspTlA/T0hBOCgYKkhAT1ROUUhEPDUsHy0rbXFuYXBbbGlbaGA6UWRmaFlfYBoqP0ZSU0Y/NSoyMSwtHS5CRj81KBspS01MQ1RAT1dBPzctMTYzMh0qSz1NUEBNXFRRSThgbG9qNSoscnFzKTw9TkUoT0xPLD5LSCZESEFKHS5CSUQ7Q0Q+OBssQzA6KCkYKj4tOCowHyw/KzUoKxsqQTM8KiwYJz8vOCguHy5NTUc8UD1PWk1RSFM8O1E4GipLT05DUj5MV0BPRzw6Hy5NTUc8UD1PWktATEI4GCdAUkBaUlFLOhsnPVM/Wj5KQ0tGST01GylDSlBTXj9NR09OP004Mh8uUUM5RkZTSlBcVFFJOBgnUUc4LR0uQ1AsNRgqTFBJUUhMQlpPPUc9SkhCSEw+Qj1NTUY4GyxIUlxNTUZPQ0hAOnNxcmAYJ00/T1BPTUhLQldNTj9NWkFAWFA4KhgqQkQ/Qlc8LhsnQU5ZP1RLQExGPlc9ST1NVE1TREE4XllnbWAbLENOVElERzw+WkRNPDI0KSopLCg0MCswHyxLOUo8RkdASV5IS05MOUdGOGFea3JiGydMREdAOC4zMjI0KisyMDEbLENOVElERzw+Wk9GTEQ6MicrKiwrLDIpMC41LCo1LjElPkw=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version3⤵PID:2616
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version3⤵PID:2568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
906KB
MD5df7128f7c2a780edcc541638c8658368
SHA1ba56b4c29fd10c03a6d1beb965c36ee095f4e421
SHA256bf96bd448227958a2af4f56a47e4189c0ea30c604a205f9a32839746b6b0965d
SHA512fb6aeae14c806924fd359ef139c890322d535fba42fddb07581336a4b7fb5a329ddd68304e3eb7a4cc894ced731924ebced10d165d9421eb6902c97159b1f88d
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
161KB
MD5398b636dcc156b4ceaeb1f961015c125
SHA1fed5906d6b9b76e2f3288ed2312380ac1d5b4ea1
SHA25674ca8ef55b0b1912f3587060ec229814919ea6891b889254ebcc1ed2f1513f1a
SHA51285beb6e71406ea007604bdb47bc402fcddb5dcf4cc439076dac11769b42d248331dad4eac386afd635cd3f5ac9a3aa7fdab0eceb55c68ac5433960b2471bb65b