Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a1d53ded2dd2f7982ee54c0710f1d4ed_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
beeifecjdh.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
beeifecjdh.exe
Resource
win10v2004-20240508-en
General
-
Target
beeifecjdh.exe
-
Size
538KB
-
MD5
414ca68096786397f155d633555090ff
-
SHA1
a606ee5818f05a0aafa29dba839ce33184d381fc
-
SHA256
ecca7e207947afd7cd3e30b130707047576bbd0980cfe4be58d9e7c91a661297
-
SHA512
7b499850d173bf740a9fc9f69c87139ec24c7cdded79bbe2fbc6bff44005e5f26cfccb6db436929cbaa396676b040f8d31fde4ae662dc00a3f20455f5d3ac898
-
SSDEEP
12288:i8KFgRZGE6jN0rlIAFczYzV5GHCQIjptYKTYIPK6yVF/:ifFgRZGEI+czYzVKgDYuvPZ2V
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2404 2156 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2188 wmic.exe Token: SeSecurityPrivilege 2188 wmic.exe Token: SeTakeOwnershipPrivilege 2188 wmic.exe Token: SeLoadDriverPrivilege 2188 wmic.exe Token: SeSystemProfilePrivilege 2188 wmic.exe Token: SeSystemtimePrivilege 2188 wmic.exe Token: SeProfSingleProcessPrivilege 2188 wmic.exe Token: SeIncBasePriorityPrivilege 2188 wmic.exe Token: SeCreatePagefilePrivilege 2188 wmic.exe Token: SeBackupPrivilege 2188 wmic.exe Token: SeRestorePrivilege 2188 wmic.exe Token: SeShutdownPrivilege 2188 wmic.exe Token: SeDebugPrivilege 2188 wmic.exe Token: SeSystemEnvironmentPrivilege 2188 wmic.exe Token: SeRemoteShutdownPrivilege 2188 wmic.exe Token: SeUndockPrivilege 2188 wmic.exe Token: SeManageVolumePrivilege 2188 wmic.exe Token: 33 2188 wmic.exe Token: 34 2188 wmic.exe Token: 35 2188 wmic.exe Token: SeIncreaseQuotaPrivilege 2188 wmic.exe Token: SeSecurityPrivilege 2188 wmic.exe Token: SeTakeOwnershipPrivilege 2188 wmic.exe Token: SeLoadDriverPrivilege 2188 wmic.exe Token: SeSystemProfilePrivilege 2188 wmic.exe Token: SeSystemtimePrivilege 2188 wmic.exe Token: SeProfSingleProcessPrivilege 2188 wmic.exe Token: SeIncBasePriorityPrivilege 2188 wmic.exe Token: SeCreatePagefilePrivilege 2188 wmic.exe Token: SeBackupPrivilege 2188 wmic.exe Token: SeRestorePrivilege 2188 wmic.exe Token: SeShutdownPrivilege 2188 wmic.exe Token: SeDebugPrivilege 2188 wmic.exe Token: SeSystemEnvironmentPrivilege 2188 wmic.exe Token: SeRemoteShutdownPrivilege 2188 wmic.exe Token: SeUndockPrivilege 2188 wmic.exe Token: SeManageVolumePrivilege 2188 wmic.exe Token: 33 2188 wmic.exe Token: 34 2188 wmic.exe Token: 35 2188 wmic.exe Token: SeIncreaseQuotaPrivilege 2716 wmic.exe Token: SeSecurityPrivilege 2716 wmic.exe Token: SeTakeOwnershipPrivilege 2716 wmic.exe Token: SeLoadDriverPrivilege 2716 wmic.exe Token: SeSystemProfilePrivilege 2716 wmic.exe Token: SeSystemtimePrivilege 2716 wmic.exe Token: SeProfSingleProcessPrivilege 2716 wmic.exe Token: SeIncBasePriorityPrivilege 2716 wmic.exe Token: SeCreatePagefilePrivilege 2716 wmic.exe Token: SeBackupPrivilege 2716 wmic.exe Token: SeRestorePrivilege 2716 wmic.exe Token: SeShutdownPrivilege 2716 wmic.exe Token: SeDebugPrivilege 2716 wmic.exe Token: SeSystemEnvironmentPrivilege 2716 wmic.exe Token: SeRemoteShutdownPrivilege 2716 wmic.exe Token: SeUndockPrivilege 2716 wmic.exe Token: SeManageVolumePrivilege 2716 wmic.exe Token: 33 2716 wmic.exe Token: 34 2716 wmic.exe Token: 35 2716 wmic.exe Token: SeIncreaseQuotaPrivilege 2640 wmic.exe Token: SeSecurityPrivilege 2640 wmic.exe Token: SeTakeOwnershipPrivilege 2640 wmic.exe Token: SeLoadDriverPrivilege 2640 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2188 2156 beeifecjdh.exe 28 PID 2156 wrote to memory of 2188 2156 beeifecjdh.exe 28 PID 2156 wrote to memory of 2188 2156 beeifecjdh.exe 28 PID 2156 wrote to memory of 2188 2156 beeifecjdh.exe 28 PID 2156 wrote to memory of 2716 2156 beeifecjdh.exe 31 PID 2156 wrote to memory of 2716 2156 beeifecjdh.exe 31 PID 2156 wrote to memory of 2716 2156 beeifecjdh.exe 31 PID 2156 wrote to memory of 2716 2156 beeifecjdh.exe 31 PID 2156 wrote to memory of 2640 2156 beeifecjdh.exe 33 PID 2156 wrote to memory of 2640 2156 beeifecjdh.exe 33 PID 2156 wrote to memory of 2640 2156 beeifecjdh.exe 33 PID 2156 wrote to memory of 2640 2156 beeifecjdh.exe 33 PID 2156 wrote to memory of 2420 2156 beeifecjdh.exe 35 PID 2156 wrote to memory of 2420 2156 beeifecjdh.exe 35 PID 2156 wrote to memory of 2420 2156 beeifecjdh.exe 35 PID 2156 wrote to memory of 2420 2156 beeifecjdh.exe 35 PID 2156 wrote to memory of 2560 2156 beeifecjdh.exe 37 PID 2156 wrote to memory of 2560 2156 beeifecjdh.exe 37 PID 2156 wrote to memory of 2560 2156 beeifecjdh.exe 37 PID 2156 wrote to memory of 2560 2156 beeifecjdh.exe 37 PID 2156 wrote to memory of 2404 2156 beeifecjdh.exe 39 PID 2156 wrote to memory of 2404 2156 beeifecjdh.exe 39 PID 2156 wrote to memory of 2404 2156 beeifecjdh.exe 39 PID 2156 wrote to memory of 2404 2156 beeifecjdh.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"C:\Users\Admin\AppData\Local\Temp\beeifecjdh.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version2⤵PID:2420
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718218224.txt bios get version2⤵PID:2560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 3722⤵
- Program crash
PID:2404
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51