Analysis

  • max time kernel
    92s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 18:19

General

  • Target

    a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe

  • Size

    686KB

  • MD5

    a1b4f03ff75c1e5be265328cebea81ea

  • SHA1

    c104b2f8f678c14088890263adf487aafd49271b

  • SHA256

    209530828f3ef71caf7ac88a9167341cd29fc1db97f2c4b360054b2787d4b3a2

  • SHA512

    5ca62ce4ae0165e2e8f31ef4d427d085181ef86606914160d9ed99ae19d0e54c79a81e4cffc07a9332711767a3f4265f1752d23e854cd13dafc95fd4495f8883

  • SSDEEP

    12288:KFRyJLpule5fYz7cyINPLrrET6nSNToaN/WSGl+UjgSyKqZsnWvEmfc8vy4hO:Kid5fAwN42nSNToq/WSwWKKCh86l

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1b4f03ff75c1e5be265328cebea81ea_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe
      C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe 6\5\5\3\1\1\3\5\8\8\5 KUtEQTwwNi4uKxspTlA/T0hBOCgYKkhAT1ROUUhEPDUsHy0rbXFuYXBbbGlbaGA6UWRmaFlfYBoqP0ZSU0Y/NSoyMSwtHS5CRj81KBspS01MQ1RAT1dBPzctMTYzMh0qSz1NUEBNXFRRSThgbG9qNSoscnFzKTw9TkUoT0xPLD5LSCZESEFKHS5CSUQ7Q0Q+OBssQzA6KCkYKj4tOCowHyw/KzUoKxsqQTM8KiwYJz8vOCguHy5NTUc8UD1PWk1RSFM8O1E4GipLT05DUj5MV0BPRzw6Hy5NTUc8UD1PWktATEI4GCdAUkBaUlFLOhsnPVM/Wj5KQ0tGST01GylDSlBTXj9NR09OP004Mh8uUUM5RkZTSlBcVFFJOBgnUUc4LR0uQ1AsNRgqTFBJUUhMQlpPPUc9SkhCSEw+Qj1NTUY4GyxIUlxNTUZPQ0hAOnNxcmAYJ00/T1BPTUhLQldNTj9NWkFAWFA4KhgqQkQ/Qlc8LhsnQU5ZP1RLQExGPlc9ST1NVE1TREE4XllnbWAbLENOVElERzw+WkRNPDI0KSopLCg0MCswHyxLOUo8RkdASV5IS05MOUdGOGFea3JiGydMREdAOC4zMjI0KisyMDEbLENOVElERzw+Wk9GTEQ6MicrKiwrLDIpMC41LCo1LjElPkw=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4652
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version
        3⤵
          PID:408
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version
          3⤵
            PID:1744
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81718216379.txt bios get version
            3⤵
              PID:2404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 852
              3⤵
              • Program crash
              PID:1468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400
          1⤵
            PID:456

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\81718216379.txt

            Filesize

            66B

            MD5

            9025468f85256136f923096b01375964

            SHA1

            7fcd174999661594fa5f88890ffb195e9858cc52

            SHA256

            d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

            SHA512

            92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

          • C:\Users\Admin\AppData\Local\Temp\81718216379.txt

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • C:\Users\Admin\AppData\Local\Temp\81718216379.txt

            Filesize

            58B

            MD5

            f8e2f71e123c5a848f2a83d2a7aef11e

            SHA1

            5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

            SHA256

            79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

            SHA512

            8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

          • C:\Users\Admin\AppData\Local\Temp\bedfjbebca.exe

            Filesize

            906KB

            MD5

            df7128f7c2a780edcc541638c8658368

            SHA1

            ba56b4c29fd10c03a6d1beb965c36ee095f4e421

            SHA256

            bf96bd448227958a2af4f56a47e4189c0ea30c604a205f9a32839746b6b0965d

            SHA512

            fb6aeae14c806924fd359ef139c890322d535fba42fddb07581336a4b7fb5a329ddd68304e3eb7a4cc894ced731924ebced10d165d9421eb6902c97159b1f88d

          • C:\Users\Admin\AppData\Local\Temp\nsd5BEC.tmp\ZipDLL.dll

            Filesize

            163KB

            MD5

            2dc35ddcabcb2b24919b9afae4ec3091

            SHA1

            9eeed33c3abc656353a7ebd1c66af38cccadd939

            SHA256

            6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

            SHA512

            0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

          • C:\Users\Admin\AppData\Local\Temp\nsd5BEC.tmp\gjqkpms.dll

            Filesize

            161KB

            MD5

            398b636dcc156b4ceaeb1f961015c125

            SHA1

            fed5906d6b9b76e2f3288ed2312380ac1d5b4ea1

            SHA256

            74ca8ef55b0b1912f3587060ec229814919ea6891b889254ebcc1ed2f1513f1a

            SHA512

            85beb6e71406ea007604bdb47bc402fcddb5dcf4cc439076dac11769b42d248331dad4eac386afd635cd3f5ac9a3aa7fdab0eceb55c68ac5433960b2471bb65b