Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 06:27

General

  • Target

    a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    a4325cffe3af673ef38fcdccbc3906e7

  • SHA1

    e1c34b8f001e317f88649a642425e6548c53e026

  • SHA256

    24af90a82bce57acc5521e068ddfc0f94e35d89830687bae2f97878b9a3deafb

  • SHA512

    5c911ca5efc2802eb902cc85bb5de0353334e699edbbb53d3791d8aa2fddfe365155f9dd5b6764956a9e222245a04c29f469f37343afa037cd7a4248eed15769

  • SSDEEP

    24576:5bSaE4mvt/NCSAkPtMjrnVJFOQ17YiFPZI1t:5bSv4mvLCK4rnVJFOALJst

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
        C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe 7-1-2-5-2-4-8-3-5-3-2 KE9HPzszKy0tHS1MVEBLR0A1LRssTD5TVUpQR0FBOC4eKENHTlJFPDotMTMtMh4qQUU8OisdLUlRTT9TP0xcREE7KjU3Lx4rS0JNU0NLXlNNSjlgcW9tOCgucWBwciZxY2IrWm9uKGJdbF4pZmxfbh4qQUhBQEZGQjYxMi81LSo0Li8zGS5CLDstMC0xMh4oQzA4Ky0YLD8wOyYwHipCMDUqLB0tPTQ7KC8cJ01NTEJOQlJaTk5BUzxAVzYfLUtQSzxSPlFdPlRKPDscJ01NTEJOQlJaTD1FQjgdLT5XQ1pTTkQ6GyxDUURdPktAREZJQjsZLkZKUVBXP01MVUxEUDgwHCdRQz5MRFhNUF1RSkk4HS1PTDstHis8UCw6HihRU0lSRUVCWlRDRUJNSENFRT5CQlNLSzsbLUVLXE1STE1IS0A7cGpyYB0tS0RSUFBKQUtCXFNMRFBaQj1RUDgvHihHRz9DVDUuGyxHTF5CVEw9RUY+XENHQlBUTlA9QThjX2VyYxstQEdUSUlNOkNdRE45MC4pMzQnMDcuLC0oMhssUkJMQzgvMCoyNDYyLjA0Gy1AR1RJSU06Q11PR0k9Oi4sLykuMCsvMSIuNTAzMzA0JU5J
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get serialnumber
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2764
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1524
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1416
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version
          4⤵
            PID:1252
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version
            4⤵
              PID:1156
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 368
              4⤵
              • Loads dropped DLL
              • Program crash
              PID:2836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81718260059.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\Cab407C.tmp

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\Setup.exe

        Filesize

        611KB

        MD5

        0cde0cad0ce4b585b01f5f4372421806

        SHA1

        3c7aa727e1d848384380c9d2faf36ef204c62012

        SHA256

        b067a5cd483d8b48109a8e6b0b6f14a98cba55bdfdbb19746bb0b34225fff98e

        SHA512

        ebfcfe5e648989d896b6dcb1006958998ef6f5e141214fe330ad3e70f89412ba2e88640f3f0554c52b9f6f0dae0545eead982b36405f2e35af61e019d41b4468

      • C:\Users\Admin\AppData\Local\Temp\Tar89CE.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • \Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

        Filesize

        810KB

        MD5

        c9956ff8300e9d03818f9ea699dd5166

        SHA1

        119029567399a3a4c453f2686bc7f1ad9181e2d0

        SHA256

        d4f2bfa905ebe30c7393db660d4bdd99e5c3a1a7c5f17b2f06d60b4b85f9cc7a

        SHA512

        8201d9c97b894f6ca9da57a18ccda3fa1694b6cc54ff1b53a4981dd5add7edef2e30b7252190e39610c6523da0a6878987d9ba5b583fcdda774f509d7ff51f12

      • \Users\Admin\AppData\Local\Temp\nst8BDC.tmp\amobm.dll

        Filesize

        152KB

        MD5

        98aafe4b27cc67a4aa2f3f8cb2696c7a

        SHA1

        819d9079822e56185b5860dc9f705c468ec74767

        SHA256

        b2cc39a4cf32de27d4d9e4204c5f51be48568f450780bd9b3322a1c592dbbbf7

        SHA512

        800e3f3d6426272d9d271fd53d6ca8cf49a722d4f3c3f64158de1e9bae1b8fe73b69d225f15991bfc4fdcded98f59279326ebb0d86e8cf9ff84cecd0d4d8eb9d

      • \Users\Admin\AppData\Local\Temp\nst8BDC.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

      • memory/2296-0-0x000007FEF649E000-0x000007FEF649F000-memory.dmp

        Filesize

        4KB

      • memory/2296-8-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

        Filesize

        9.6MB

      • memory/2296-16-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

        Filesize

        9.6MB

      • memory/2296-26-0x000000001B3C0000-0x000000001B438000-memory.dmp

        Filesize

        480KB