Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
beehdhgehc.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
beehdhgehc.exe
Resource
win10v2004-20240508-en
General
-
Target
a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
-
Size
344KB
-
MD5
a3944e4cbbc7a52b8105447e7cb5ce3b
-
SHA1
4384e16c289f389007a2293b38e1b629532fffae
-
SHA256
7312a1a3a228cef5f0749c2dfa14f758e88bde7a3943aa6fced63e39c99fd7e7
-
SHA512
6c77b2da9a01f915661df7a0e5c4319bfbb198661579a4a8f8b053a6c221a00daf4cc7d935ac6ec7a62168c8549c8e585bc7b142d1085a6290b85e5210fc533c
-
SSDEEP
6144:nFJ0BPYnNpxy+ahR+rrbgqpn+zOYMmNpdKGEg822G1VQG7zYbT1:+gxDvb7B+aYMmNpdvEL22HD1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2376 beehdhgehc.exe -
Loads dropped DLL 5 IoCs
pid Process 1732 a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2580 2376 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: SeIncreaseQuotaPrivilege 2280 wmic.exe Token: SeSecurityPrivilege 2280 wmic.exe Token: SeTakeOwnershipPrivilege 2280 wmic.exe Token: SeLoadDriverPrivilege 2280 wmic.exe Token: SeSystemProfilePrivilege 2280 wmic.exe Token: SeSystemtimePrivilege 2280 wmic.exe Token: SeProfSingleProcessPrivilege 2280 wmic.exe Token: SeIncBasePriorityPrivilege 2280 wmic.exe Token: SeCreatePagefilePrivilege 2280 wmic.exe Token: SeBackupPrivilege 2280 wmic.exe Token: SeRestorePrivilege 2280 wmic.exe Token: SeShutdownPrivilege 2280 wmic.exe Token: SeDebugPrivilege 2280 wmic.exe Token: SeSystemEnvironmentPrivilege 2280 wmic.exe Token: SeRemoteShutdownPrivilege 2280 wmic.exe Token: SeUndockPrivilege 2280 wmic.exe Token: SeManageVolumePrivilege 2280 wmic.exe Token: 33 2280 wmic.exe Token: 34 2280 wmic.exe Token: 35 2280 wmic.exe Token: SeIncreaseQuotaPrivilege 2576 wmic.exe Token: SeSecurityPrivilege 2576 wmic.exe Token: SeTakeOwnershipPrivilege 2576 wmic.exe Token: SeLoadDriverPrivilege 2576 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2376 1732 a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2376 1732 a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2376 1732 a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2376 1732 a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe 28 PID 2376 wrote to memory of 2064 2376 beehdhgehc.exe 29 PID 2376 wrote to memory of 2064 2376 beehdhgehc.exe 29 PID 2376 wrote to memory of 2064 2376 beehdhgehc.exe 29 PID 2376 wrote to memory of 2064 2376 beehdhgehc.exe 29 PID 2376 wrote to memory of 2280 2376 beehdhgehc.exe 32 PID 2376 wrote to memory of 2280 2376 beehdhgehc.exe 32 PID 2376 wrote to memory of 2280 2376 beehdhgehc.exe 32 PID 2376 wrote to memory of 2280 2376 beehdhgehc.exe 32 PID 2376 wrote to memory of 2576 2376 beehdhgehc.exe 34 PID 2376 wrote to memory of 2576 2376 beehdhgehc.exe 34 PID 2376 wrote to memory of 2576 2376 beehdhgehc.exe 34 PID 2376 wrote to memory of 2576 2376 beehdhgehc.exe 34 PID 2376 wrote to memory of 2484 2376 beehdhgehc.exe 36 PID 2376 wrote to memory of 2484 2376 beehdhgehc.exe 36 PID 2376 wrote to memory of 2484 2376 beehdhgehc.exe 36 PID 2376 wrote to memory of 2484 2376 beehdhgehc.exe 36 PID 2376 wrote to memory of 2572 2376 beehdhgehc.exe 38 PID 2376 wrote to memory of 2572 2376 beehdhgehc.exe 38 PID 2376 wrote to memory of 2572 2376 beehdhgehc.exe 38 PID 2376 wrote to memory of 2572 2376 beehdhgehc.exe 38 PID 2376 wrote to memory of 2580 2376 beehdhgehc.exe 40 PID 2376 wrote to memory of 2580 2376 beehdhgehc.exe 40 PID 2376 wrote to memory of 2580 2376 beehdhgehc.exe 40 PID 2376 wrote to memory of 2580 2376 beehdhgehc.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exeC:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe 5|8|4|0|0|0|5|4|7|8|5 KkhFRD0yLi8ZJ05QOkxJRD0rHChGQE9PS1JLST85KhgqP0FPVElEOC4uLyssGCtDSUQ4LBknS01HQFVDVFpFPTUsMTEwIC9TQE5PPU1aTU5MPWhvcGkyKiprbnYuREBPRCVPSkgpQVBQKUVHPkobJz9MSUNGRT01KysuMzYxMDM0KSosNC4zMTYzMC4vAhsqPC09JTQrIS0oPkdBQU5ULT8+JkE/ICwsJTQwGys9KjgoKRwvRDM4KSoYKj8sOS0xICpALjUoLBgrUFJPP1E8TFpLSkVWQUNUORknS01HQFVDVFpBTkQ8OBgrUFJPP1E8TFpJOUlFPSAqQVE9WlBKSD0gL0BUPlc+SDxISU5FOBwoQEpOTFtCUk9STz5KODAYK1RIQUlHUkdQWk1OTD0gKlJGNS0bJ0BTMT0bK0tNSU9BSUVfV0BIPEdIQEFJQUdFUE5FNRsqQU9fUlVJUEJFQDhsbnVlICpOPkxQTUZFTkdfUE8+Slo/OVVTPTIbK0FBP0BQOTEgL0RPWDxUSTlJSUNfQEo8SlRLTEFEPWZcaGxdGyo8S1dOTEo9PVdESzUuMDguLC0pJjQuJi0yMiAqTDpKPEdEQUxfSUlPTTlHRzVwcnVlGytNQUhANS00NDcuNCksMy8YK0RPV0lISDk/WkxFTUU9LC0oKS4qKiwxNSotNikwNSssJkFN2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version3⤵PID:2484
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version3⤵PID:2572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
563KB
MD59d01412819ca4fb532c81a5335d76854
SHA1ff840af40527eb8a05927036af54140d07a1ba33
SHA256dc239681ea4e27fbe2a678f0182b8adf47a3d0b2687d1d8b7a9e3416324ca7c1
SHA512d25be4cadcfc67ec5c5454a488ce03e9cce45e5f02238baca129c363d370174818822f78230155949c577ff6d240ed12af32d94700d4fe91dd4b3121664ddaff