Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 18:19

General

  • Target

    a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe

  • Size

    686KB

  • MD5

    a1b4f03ff75c1e5be265328cebea81ea

  • SHA1

    c104b2f8f678c14088890263adf487aafd49271b

  • SHA256

    209530828f3ef71caf7ac88a9167341cd29fc1db97f2c4b360054b2787d4b3a2

  • SHA512

    5ca62ce4ae0165e2e8f31ef4d427d085181ef86606914160d9ed99ae19d0e54c79a81e4cffc07a9332711767a3f4265f1752d23e854cd13dafc95fd4495f8883

  • SSDEEP

    12288:KFRyJLpule5fYz7cyINPLrrET6nSNToaN/WSGl+UjgSyKqZsnWvEmfc8vy4hO:Kid5fAwN42nSNToq/WSwWKKCh86l

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe
      C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe 6\5\5\3\1\1\3\5\8\8\5 KUtEQTwwNi4uKxspTlA/T0hBOCgYKkhAT1ROUUhEPDUsHy0rbXFuYXBbbGlbaGA6UWRmaFlfYBoqP0ZSU0Y/NSoyMSwtHS5CRj81KBspS01MQ1RAT1dBPzctMTYzMh0qSz1NUEBNXFRRSThgbG9qNSoscnFzKTw9TkUoT0xPLD5LSCZESEFKHS5CSUQ7Q0Q+OBssQzA6KCkYKj4tOCowHyw/KzUoKxsqQTM8KiwYJz8vOCguHy5NTUc8UD1PWk1RSFM8O1E4GipLT05DUj5MV0BPRzw6Hy5NTUc8UD1PWktATEI4GCdAUkBaUlFLOhsnPVM/Wj5KQ0tGST01GylDSlBTXj9NR09OP004Mh8uUUM5RkZTSlBcVFFJOBgnUUc4LR0uQ1AsNRgqTFBJUUhMQlpPPUc9SkhCSEw+Qj1NTUY4GyxIUlxNTUZPQ0hAOnNxcmAYJ00/T1BPTUhLQldNTj9NWkFAWFA4KhgqQkQ/Qlc8LhsnQU5ZP1RLQExGPlc9ST1NVE1TREE4XllnbWAbLENOVElERzw+WkRNPDI0KSopLCg0MCswHyxLOUo8RkdASV5IS05MOUdGOGFea3JiGydMREdAOC4zMjI0KisyMDEbLENOVElERzw+Wk9GTEQ6MicrKiwrLDIpMC41LCo1LjElPkw=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version
        3⤵
          PID:2616
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216378.txt bios get version
          3⤵
            PID:2568
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 368
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81718216378.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • \Users\Admin\AppData\Local\Temp\bedfjbebca.exe

        Filesize

        906KB

        MD5

        df7128f7c2a780edcc541638c8658368

        SHA1

        ba56b4c29fd10c03a6d1beb965c36ee095f4e421

        SHA256

        bf96bd448227958a2af4f56a47e4189c0ea30c604a205f9a32839746b6b0965d

        SHA512

        fb6aeae14c806924fd359ef139c890322d535fba42fddb07581336a4b7fb5a329ddd68304e3eb7a4cc894ced731924ebced10d165d9421eb6902c97159b1f88d

      • \Users\Admin\AppData\Local\Temp\nsd1C48.tmp\ZipDLL.dll

        Filesize

        163KB

        MD5

        2dc35ddcabcb2b24919b9afae4ec3091

        SHA1

        9eeed33c3abc656353a7ebd1c66af38cccadd939

        SHA256

        6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

        SHA512

        0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

      • \Users\Admin\AppData\Local\Temp\nsd1C48.tmp\gjqkpms.dll

        Filesize

        161KB

        MD5

        398b636dcc156b4ceaeb1f961015c125

        SHA1

        fed5906d6b9b76e2f3288ed2312380ac1d5b4ea1

        SHA256

        74ca8ef55b0b1912f3587060ec229814919ea6891b889254ebcc1ed2f1513f1a

        SHA512

        85beb6e71406ea007604bdb47bc402fcddb5dcf4cc439076dac11769b42d248331dad4eac386afd635cd3f5ac9a3aa7fdab0eceb55c68ac5433960b2471bb65b