Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
beeifecjdh.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
beeifecjdh.exe
Resource
win10v2004-20240508-en
General
-
Target
a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe
-
Size
339KB
-
MD5
a1d53ded2dd2f7982ee54c0710f1d4ed
-
SHA1
20c690ed4748d95780c8c60c1a09c296bd663a5a
-
SHA256
372e30dd35885550123f9d0e9282151fe547aa61c096ae954429740d70f0002b
-
SHA512
2e32dba84dc831dd549fdc347726768289caa65c8d85641d3042792cce90020decbdb46d45e9924d9bd0cd939e8525586f4025cbb8bdbf4734ba65f40f36c2ed
-
SSDEEP
6144:JuFJ09IPbKItFd8IZzj4QXLT1lrWmOwdP/Wi/PanG7va+:ZIHCvQbDlOw9OyPaoC+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2188 beeifecjdh.exe -
Loads dropped DLL 5 IoCs
pid Process 2988 a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe 2528 WerFault.exe 2528 WerFault.exe 2528 WerFault.exe 2528 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2528 2188 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemProfilePrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeProfSingleProcessPrivilege 2784 wmic.exe Token: SeIncBasePriorityPrivilege 2784 wmic.exe Token: SeCreatePagefilePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeDebugPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeRemoteShutdownPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: 33 2784 wmic.exe Token: 34 2784 wmic.exe Token: 35 2784 wmic.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemProfilePrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeProfSingleProcessPrivilege 2784 wmic.exe Token: SeIncBasePriorityPrivilege 2784 wmic.exe Token: SeCreatePagefilePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeDebugPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeRemoteShutdownPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: 33 2784 wmic.exe Token: 34 2784 wmic.exe Token: 35 2784 wmic.exe Token: SeIncreaseQuotaPrivilege 2700 wmic.exe Token: SeSecurityPrivilege 2700 wmic.exe Token: SeTakeOwnershipPrivilege 2700 wmic.exe Token: SeLoadDriverPrivilege 2700 wmic.exe Token: SeSystemProfilePrivilege 2700 wmic.exe Token: SeSystemtimePrivilege 2700 wmic.exe Token: SeProfSingleProcessPrivilege 2700 wmic.exe Token: SeIncBasePriorityPrivilege 2700 wmic.exe Token: SeCreatePagefilePrivilege 2700 wmic.exe Token: SeBackupPrivilege 2700 wmic.exe Token: SeRestorePrivilege 2700 wmic.exe Token: SeShutdownPrivilege 2700 wmic.exe Token: SeDebugPrivilege 2700 wmic.exe Token: SeSystemEnvironmentPrivilege 2700 wmic.exe Token: SeRemoteShutdownPrivilege 2700 wmic.exe Token: SeUndockPrivilege 2700 wmic.exe Token: SeManageVolumePrivilege 2700 wmic.exe Token: 33 2700 wmic.exe Token: 34 2700 wmic.exe Token: 35 2700 wmic.exe Token: SeIncreaseQuotaPrivilege 2600 wmic.exe Token: SeSecurityPrivilege 2600 wmic.exe Token: SeTakeOwnershipPrivilege 2600 wmic.exe Token: SeLoadDriverPrivilege 2600 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2188 2988 a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe 28 PID 2988 wrote to memory of 2188 2988 a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe 28 PID 2988 wrote to memory of 2188 2988 a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe 28 PID 2988 wrote to memory of 2188 2988 a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2784 2188 beeifecjdh.exe 29 PID 2188 wrote to memory of 2784 2188 beeifecjdh.exe 29 PID 2188 wrote to memory of 2784 2188 beeifecjdh.exe 29 PID 2188 wrote to memory of 2784 2188 beeifecjdh.exe 29 PID 2188 wrote to memory of 2700 2188 beeifecjdh.exe 32 PID 2188 wrote to memory of 2700 2188 beeifecjdh.exe 32 PID 2188 wrote to memory of 2700 2188 beeifecjdh.exe 32 PID 2188 wrote to memory of 2700 2188 beeifecjdh.exe 32 PID 2188 wrote to memory of 2600 2188 beeifecjdh.exe 34 PID 2188 wrote to memory of 2600 2188 beeifecjdh.exe 34 PID 2188 wrote to memory of 2600 2188 beeifecjdh.exe 34 PID 2188 wrote to memory of 2600 2188 beeifecjdh.exe 34 PID 2188 wrote to memory of 2760 2188 beeifecjdh.exe 36 PID 2188 wrote to memory of 2760 2188 beeifecjdh.exe 36 PID 2188 wrote to memory of 2760 2188 beeifecjdh.exe 36 PID 2188 wrote to memory of 2760 2188 beeifecjdh.exe 36 PID 2188 wrote to memory of 2756 2188 beeifecjdh.exe 38 PID 2188 wrote to memory of 2756 2188 beeifecjdh.exe 38 PID 2188 wrote to memory of 2756 2188 beeifecjdh.exe 38 PID 2188 wrote to memory of 2756 2188 beeifecjdh.exe 38 PID 2188 wrote to memory of 2528 2188 beeifecjdh.exe 40 PID 2188 wrote to memory of 2528 2188 beeifecjdh.exe 40 PID 2188 wrote to memory of 2528 2188 beeifecjdh.exe 40 PID 2188 wrote to memory of 2528 2188 beeifecjdh.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exeC:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe 2#2#8#1#0#4#1#7#9#5#6 LU5BQz0tODErLRotUU1BUEVDNicbKUxDTFZPTkpCOzgrHi08SFNQSD00LTAvNCkfLz9IPTQrGi1OSk5EUUJNVkQ+OzAtMjQzHyhKQExUQ0peVU5LNl9vbm44Jy5zbnUnO0BNSStMTlApQElHKUNMREcfLz9LQjpGQ0I7GC5ELTwmKBspQjA1LDEcLj0qOCcvHidDNDksKhcqPjM7JTAgK09LRj9PQVJXT1JFVTo6VDceLUhRT0BUPEtaP1NKOTwgK09LRj9PQVJXTUFJRDZqYGxnX2QkMiwsHikrZ210WXVpITEpal5sY2NmJDIsYlpnb29wYx0xMG9zbltkaSMwKDQuLC0pHC0qZHNkayUuLx4pKx8wLltxYV8fKDxTP11TSks9XmRsay9qYSxbbm0rcl5rcGosY3BkICtEUTxaPUtCREhOQTwZJkNJUVJXQVJLVkw8TTczHidTSD1NRFBKT11TSks9HC5PRDgsHi08UjE5HyhJUEhSR0VEX1NERTpKR0NHRUBHQVRLQzgaLUdLXlJRTU1ASD87cmp0ZRwuSzxPT1BMQU1HW1RMPE1ZQj9RUj0uHyg/RD5DVjUwICtITFY/U0w/RUhDW0RHOk1TTlI9Qz1iYGVqYBotQkdWTkhOOjtaQ047Ki84KjAqJykzMSwpMTIcLkk4TTtKSj1LX0VNTEs8Rko7bHF1YR8oS0RHQzspMzQ0NC4nMS4uHidDT1NNRUY8Pl1SQUxFOTAqJi0wLTAoMDUmMjMoKzQyLiJPTQ==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version3⤵PID:2760
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version3⤵PID:2756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
538KB
MD5414ca68096786397f155d633555090ff
SHA1a606ee5818f05a0aafa29dba839ce33184d381fc
SHA256ecca7e207947afd7cd3e30b130707047576bbd0980cfe4be58d9e7c91a661297
SHA5127b499850d173bf740a9fc9f69c87139ec24c7cdded79bbe2fbc6bff44005e5f26cfccb6db436929cbaa396676b040f8d31fde4ae662dc00a3f20455f5d3ac898