Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/gjqkpms.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/gjqkpms.dll
Resource
win10v2004-20240508-en
General
-
Target
a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
-
Size
686KB
-
MD5
a1b4f03ff75c1e5be265328cebea81ea
-
SHA1
c104b2f8f678c14088890263adf487aafd49271b
-
SHA256
209530828f3ef71caf7ac88a9167341cd29fc1db97f2c4b360054b2787d4b3a2
-
SHA512
5ca62ce4ae0165e2e8f31ef4d427d085181ef86606914160d9ed99ae19d0e54c79a81e4cffc07a9332711767a3f4265f1752d23e854cd13dafc95fd4495f8883
-
SSDEEP
12288:KFRyJLpule5fYz7cyINPLrrET6nSNToaN/WSGl+UjgSyKqZsnWvEmfc8vy4hO:Kid5fAwN42nSNToq/WSwWKKCh86l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 400 bedfjbebca.exe -
Loads dropped DLL 2 IoCs
pid Process 1560 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 1560 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1468 400 WerFault.exe 82 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: 36 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: 36 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 4652 wmic.exe Token: SeSecurityPrivilege 4652 wmic.exe Token: SeTakeOwnershipPrivilege 4652 wmic.exe Token: SeLoadDriverPrivilege 4652 wmic.exe Token: SeSystemProfilePrivilege 4652 wmic.exe Token: SeSystemtimePrivilege 4652 wmic.exe Token: SeProfSingleProcessPrivilege 4652 wmic.exe Token: SeIncBasePriorityPrivilege 4652 wmic.exe Token: SeCreatePagefilePrivilege 4652 wmic.exe Token: SeBackupPrivilege 4652 wmic.exe Token: SeRestorePrivilege 4652 wmic.exe Token: SeShutdownPrivilege 4652 wmic.exe Token: SeDebugPrivilege 4652 wmic.exe Token: SeSystemEnvironmentPrivilege 4652 wmic.exe Token: SeRemoteShutdownPrivilege 4652 wmic.exe Token: SeUndockPrivilege 4652 wmic.exe Token: SeManageVolumePrivilege 4652 wmic.exe Token: 33 4652 wmic.exe Token: 34 4652 wmic.exe Token: 35 4652 wmic.exe Token: 36 4652 wmic.exe Token: SeIncreaseQuotaPrivilege 4652 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1560 wrote to memory of 400 1560 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 82 PID 1560 wrote to memory of 400 1560 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 82 PID 1560 wrote to memory of 400 1560 a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe 82 PID 400 wrote to memory of 1764 400 bedfjbebca.exe 83 PID 400 wrote to memory of 1764 400 bedfjbebca.exe 83 PID 400 wrote to memory of 1764 400 bedfjbebca.exe 83 PID 400 wrote to memory of 4652 400 bedfjbebca.exe 87 PID 400 wrote to memory of 4652 400 bedfjbebca.exe 87 PID 400 wrote to memory of 4652 400 bedfjbebca.exe 87 PID 400 wrote to memory of 408 400 bedfjbebca.exe 89 PID 400 wrote to memory of 408 400 bedfjbebca.exe 89 PID 400 wrote to memory of 408 400 bedfjbebca.exe 89 PID 400 wrote to memory of 1744 400 bedfjbebca.exe 92 PID 400 wrote to memory of 1744 400 bedfjbebca.exe 92 PID 400 wrote to memory of 1744 400 bedfjbebca.exe 92 PID 400 wrote to memory of 2404 400 bedfjbebca.exe 94 PID 400 wrote to memory of 2404 400 bedfjbebca.exe 94 PID 400 wrote to memory of 2404 400 bedfjbebca.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exeC:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe 6\5\5\3\1\1\3\5\8\8\5 KUtEQTwwNi4uKxspTlA/T0hBOCgYKkhAT1ROUUhEPDUsHy0rbXFuYXBbbGlbaGA6UWRmaFlfYBoqP0ZSU0Y/NSoyMSwtHS5CRj81KBspS01MQ1RAT1dBPzctMTYzMh0qSz1NUEBNXFRRSThgbG9qNSoscnFzKTw9TkUoT0xPLD5LSCZESEFKHS5CSUQ7Q0Q+OBssQzA6KCkYKj4tOCowHyw/KzUoKxsqQTM8KiwYJz8vOCguHy5NTUc8UD1PWk1RSFM8O1E4GipLT05DUj5MV0BPRzw6Hy5NTUc8UD1PWktATEI4GCdAUkBaUlFLOhsnPVM/Wj5KQ0tGST01GylDSlBTXj9NR09OP004Mh8uUUM5RkZTSlBcVFFJOBgnUUc4LR0uQ1AsNRgqTFBJUUhMQlpPPUc9SkhCSEw+Qj1NTUY4GyxIUlxNTUZPQ0hAOnNxcmAYJ00/T1BPTUhLQldNTj9NWkFAWFA4KhgqQkQ/Qlc8LhsnQU5ZP1RLQExGPlc9ST1NVE1TREE4XllnbWAbLENOVElERzw+WkRNPDI0KSopLCg0MCswHyxLOUo8RkdASV5IS05MOUdGOGFea3JiGydMREdAOC4zMjI0KisyMDEbLENOVElERzw+Wk9GTEQ6MicrKiwrLDIpMC41LCo1LjElPkw=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version3⤵PID:408
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version3⤵PID:1744
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version3⤵PID:2404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 8523⤵
- Program crash
PID:1468
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 4001⤵PID:456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
58B
MD5f8e2f71e123c5a848f2a83d2a7aef11e
SHA15e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA25679dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA5128d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e
-
Filesize
906KB
MD5df7128f7c2a780edcc541638c8658368
SHA1ba56b4c29fd10c03a6d1beb965c36ee095f4e421
SHA256bf96bd448227958a2af4f56a47e4189c0ea30c604a205f9a32839746b6b0965d
SHA512fb6aeae14c806924fd359ef139c890322d535fba42fddb07581336a4b7fb5a329ddd68304e3eb7a4cc894ced731924ebced10d165d9421eb6902c97159b1f88d
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
-
Filesize
161KB
MD5398b636dcc156b4ceaeb1f961015c125
SHA1fed5906d6b9b76e2f3288ed2312380ac1d5b4ea1
SHA25674ca8ef55b0b1912f3587060ec229814919ea6891b889254ebcc1ed2f1513f1a
SHA51285beb6e71406ea007604bdb47bc402fcddb5dcf4cc439076dac11769b42d248331dad4eac386afd635cd3f5ac9a3aa7fdab0eceb55c68ac5433960b2471bb65b