Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 02:45

General

  • Target

    a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe

  • Size

    344KB

  • MD5

    a3944e4cbbc7a52b8105447e7cb5ce3b

  • SHA1

    4384e16c289f389007a2293b38e1b629532fffae

  • SHA256

    7312a1a3a228cef5f0749c2dfa14f758e88bde7a3943aa6fced63e39c99fd7e7

  • SHA512

    6c77b2da9a01f915661df7a0e5c4319bfbb198661579a4a8f8b053a6c221a00daf4cc7d935ac6ec7a62168c8549c8e585bc7b142d1085a6290b85e5210fc533c

  • SSDEEP

    6144:nFJ0BPYnNpxy+ahR+rrbgqpn+zOYMmNpdKGEg822G1VQG7zYbT1:+gxDvb7B+aYMmNpdvEL22HD1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3944e4cbbc7a52b8105447e7cb5ce3b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe
      C:\Users\Admin\AppData\Local\Temp\beehdhgehc.exe 5|8|4|0|0|0|5|4|7|8|5 KkhFRD0yLi8ZJ05QOkxJRD0rHChGQE9PS1JLST85KhgqP0FPVElEOC4uLyssGCtDSUQ4LBknS01HQFVDVFpFPTUsMTEwIC9TQE5PPU1aTU5MPWhvcGkyKiprbnYuREBPRCVPSkgpQVBQKUVHPkobJz9MSUNGRT01KysuMzYxMDM0KSosNC4zMTYzMC4vAhsqPC09JTQrIS0oPkdBQU5ULT8+JkE/ICwsJTQwGys9KjgoKRwvRDM4KSoYKj8sOS0xICpALjUoLBgrUFJPP1E8TFpLSkVWQUNUORknS01HQFVDVFpBTkQ8OBgrUFJPP1E8TFpJOUlFPSAqQVE9WlBKSD0gL0BUPlc+SDxISU5FOBwoQEpOTFtCUk9STz5KODAYK1RIQUlHUkdQWk1OTD0gKlJGNS0bJ0BTMT0bK0tNSU9BSUVfV0BIPEdIQEFJQUdFUE5FNRsqQU9fUlVJUEJFQDhsbnVlICpOPkxQTUZFTkdfUE8+Slo/OVVTPTIbK0FBP0BQOTEgL0RPWDxUSTlJSUNfQEo8SlRLTEFEPWZcaGxdGyo8S1dOTEo9PVdESzUuMDguLC0pJjQuJi0yMiAqTDpKPEdEQUxfSUlPTTlHRzVwcnVlGytNQUhANS00NDcuNCksMy8YK0RPV0lISDk/WkxFTUU9LC0oKS4qKiwxNSotNikwNSssJkFN
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version
        3⤵
          PID:2484
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718246741.txt bios get version
          3⤵
            PID:2572
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81718246741.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • \Users\Admin\AppData\Local\Temp\beehdhgehc.exe

        Filesize

        563KB

        MD5

        9d01412819ca4fb532c81a5335d76854

        SHA1

        ff840af40527eb8a05927036af54140d07a1ba33

        SHA256

        dc239681ea4e27fbe2a678f0182b8adf47a3d0b2687d1d8b7a9e3416324ca7c1

        SHA512

        d25be4cadcfc67ec5c5454a488ce03e9cce45e5f02238baca129c363d370174818822f78230155949c577ff6d240ed12af32d94700d4fe91dd4b3121664ddaff