06f6c10440da558d3956f661aa361b20ffbf27204b1e9f04e7d478d973b717a9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe
Size

574KB
MD5

a4c38431332106979cb41847b95e3c59
SHA1

3630373d6fe9989b86a17bac08647c55ce8ada9d
SHA256

06f6c10440da558d3956f661aa361b20ffbf27204b1e9f04e7d478d973b717a9
SHA512

c900f7b582abb1966b3973a8e439e7b2bd919f83c6342724fca36d46abdcc89475edf5fbebd24c8a510070fa2ec93c32cf3e902b8be62e535e857ae97e9a3a0c
SSDEEP

12288:AX0cjfyBYdfzRGE4OxueN1cJpWng7BSRZfjymE5s0Xd8F5oOqo:AX0cjqBYdfzRGEZNCDW8qhWs0XCF5oc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	bccgcabedefg.exe

Loads dropped DLL 10 IoCs

pid	Process
2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe
2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe
2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	2140	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: SeIncreaseQuotaPrivilege	2268	wmic.exe
Token: SeSecurityPrivilege	2268	wmic.exe
Token: SeTakeOwnershipPrivilege	2268	wmic.exe
Token: SeLoadDriverPrivilege	2268	wmic.exe
Token: SeSystemProfilePrivilege	2268	wmic.exe
Token: SeSystemtimePrivilege	2268	wmic.exe
Token: SeProfSingleProcessPrivilege	2268	wmic.exe
Token: SeIncBasePriorityPrivilege	2268	wmic.exe
Token: SeCreatePagefilePrivilege	2268	wmic.exe
Token: SeBackupPrivilege	2268	wmic.exe
Token: SeRestorePrivilege	2268	wmic.exe
Token: SeShutdownPrivilege	2268	wmic.exe
Token: SeDebugPrivilege	2268	wmic.exe
Token: SeSystemEnvironmentPrivilege	2268	wmic.exe
Token: SeRemoteShutdownPrivilege	2268	wmic.exe
Token: SeUndockPrivilege	2268	wmic.exe
Token: SeManageVolumePrivilege	2268	wmic.exe
Token: 33	2268	wmic.exe
Token: 34	2268	wmic.exe
Token: 35	2268	wmic.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2632	wmic.exe
Token: SeSecurityPrivilege	2632	wmic.exe
Token: SeTakeOwnershipPrivilege	2632	wmic.exe
Token: SeLoadDriverPrivilege	2632	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2140	2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe	28
PID 2344 wrote to memory of 2140	2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe	28
PID 2344 wrote to memory of 2140	2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe	28
PID 2344 wrote to memory of 2140	2344	a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe	28
PID 2140 wrote to memory of 2268	2140	bccgcabedefg.exe	29
PID 2140 wrote to memory of 2268	2140	bccgcabedefg.exe	29
PID 2140 wrote to memory of 2268	2140	bccgcabedefg.exe	29
PID 2140 wrote to memory of 2268	2140	bccgcabedefg.exe	29
PID 2140 wrote to memory of 2452	2140	bccgcabedefg.exe	32
PID 2140 wrote to memory of 2452	2140	bccgcabedefg.exe	32
PID 2140 wrote to memory of 2452	2140	bccgcabedefg.exe	32
PID 2140 wrote to memory of 2452	2140	bccgcabedefg.exe	32
PID 2140 wrote to memory of 2632	2140	bccgcabedefg.exe	34
PID 2140 wrote to memory of 2632	2140	bccgcabedefg.exe	34
PID 2140 wrote to memory of 2632	2140	bccgcabedefg.exe	34
PID 2140 wrote to memory of 2632	2140	bccgcabedefg.exe	34
PID 2140 wrote to memory of 1672	2140	bccgcabedefg.exe	36
PID 2140 wrote to memory of 1672	2140	bccgcabedefg.exe	36
PID 2140 wrote to memory of 1672	2140	bccgcabedefg.exe	36
PID 2140 wrote to memory of 1672	2140	bccgcabedefg.exe	36
PID 2140 wrote to memory of 2476	2140	bccgcabedefg.exe	38
PID 2140 wrote to memory of 2476	2140	bccgcabedefg.exe	38
PID 2140 wrote to memory of 2476	2140	bccgcabedefg.exe	38
PID 2140 wrote to memory of 2476	2140	bccgcabedefg.exe	38
PID 2140 wrote to memory of 2096	2140	bccgcabedefg.exe	40
PID 2140 wrote to memory of 2096	2140	bccgcabedefg.exe	40
PID 2140 wrote to memory of 2096	2140	bccgcabedefg.exe	40
PID 2140 wrote to memory of 2096	2140	bccgcabedefg.exe	40

C:\Users\Admin\AppData\Local\Temp\a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4c38431332106979cb41847b95e3c59_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\bccgcabedefg.exe
  C:\Users\Admin\AppData\Local\Temp\bccgcabedefg.exe 6-4-5-1-5-5-7-8-3-6-2 KUxEQzgrGSdQT0BKRT88KxsoRkJOVUlORkg/OCkYLD5HTVBEQzgrGSdAQ0I3LBsuS01IPFI9UllFPzwrGyhLQkxUP05aVE1HNmBxbm40KypyYG1vJnFiYydda28oX1psXihnaGJqHyo+RUFARUc+ORsuPyw2JS4aLT4uOCwsGyg8MDcrKxwqQy84JikdKUIvOSgwGypJSkw+Uz1QWk9NRE85QFM7GitLUUo/TjtRWUNPSDw8GypJSkw+Uz1QWk08SD41HSlDUkFaVE1HNhgsP1Y/Wz5MP0dCRkI3HilESlJPWjtKTFFRP044MRsqTUA+SElTS1BeUE1FNR0pUkNJQDwsLyoxMi82Mi4xHypRRjUvGi0+Tyw8GypLTUtOR0dBWlZARzxHSj9HRz1CRFBNRTUdKUdNW01USU9CRUI3cmxxYB8qTT5MUkxMQ0pCXlBOPkpcPj9TTzgxGypBQUE/VjctGy5ETlg8Vkg/R0U+XkBJPEpWSlI/QDhlXGdsXR0pQklTSUtKPD1XUUNLPzksMSotLycvKi8uJiw5MC4zLDMkP0ccKkNKUkdETDtCWUVLPDExJyoxMywzLykwMDA=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718269463.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718269463.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718269463.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718269463.txt bios get version
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718269463.txt bios get version
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81718269463.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\zzp.dll

Filesize
108KB

MD5
2e352e4574545d13bbb4004f508c6f1e

SHA1
f90cadb5e3696167e183ba548abd4c8086566318

SHA256
3cee88da308c942dd2900192691779432f9326819fe7da08c9c555bf56a9fac0

SHA512
2cd3250bca3e4f998c7fcee4f17a3e1f01249ce4eab4b09373937551d0055ea1dfdad74149ab8281a1bf4b8195a492fb48eabbd04c63374a1561dcd910289da6

Download Submit
\Users\Admin\AppData\Local\Temp\bccgcabedefg.exe

Filesize
826KB

MD5
7627150d864117aa09d969745194617e

SHA1
f58881af8d00f80596ea1597a9f1d8e20ac0b312

SHA256
3a47a1fbfdc0addda18a68e1f95f74bde52a900758076a9800186f9a1b44955e

SHA512
15f3f266fb50bdf8b8b91a7b48155c48865470178890de88eb02e4c68a9ae2fbe22b8dec7bd817f77eccede5ac6180695d0ef569fd957e680f4b63a285143220

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit