156431cf1ed5981a7fe8729a9dc5df8b4b6e08ab635b6cbd93c0cc4d79f71496

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe
Size

707KB
MD5

a53f4815118baadfc51387f8a813282e
SHA1

05851372cc8c9e4c05401228f8ae171ae8fda2c4
SHA256

156431cf1ed5981a7fe8729a9dc5df8b4b6e08ab635b6cbd93c0cc4d79f71496
SHA512

dffb300917ef69d2ea5c96f4edddad8c3097d143900071113ed85db6c71320a34a16db11a58610f9a7d0a9cd0a9ad9c0059c70109ae7d8534e4cd52db51d5586
SSDEEP

12288:F4lmv05Fa7QsMHYVgAfFPmwQg8lfUDJkvqGzj5FQ8QDb3dnDwAr/o/mNe3akx80N:F4KQs7Vg6F+PfUDK95i8QDDphouA3akH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	rdm.exe

Loads dropped DLL 1 IoCs

pid	Process
3684	a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
780	2360	WerFault.exe	81

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdm.exe"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\rdm.exe\""	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdm.exe"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	rdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	rdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	rdm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4764	wmic.exe
Token: SeSecurityPrivilege	4764	wmic.exe
Token: SeTakeOwnershipPrivilege	4764	wmic.exe
Token: SeLoadDriverPrivilege	4764	wmic.exe
Token: SeSystemProfilePrivilege	4764	wmic.exe
Token: SeSystemtimePrivilege	4764	wmic.exe
Token: SeProfSingleProcessPrivilege	4764	wmic.exe
Token: SeIncBasePriorityPrivilege	4764	wmic.exe
Token: SeCreatePagefilePrivilege	4764	wmic.exe
Token: SeBackupPrivilege	4764	wmic.exe
Token: SeRestorePrivilege	4764	wmic.exe
Token: SeShutdownPrivilege	4764	wmic.exe
Token: SeDebugPrivilege	4764	wmic.exe
Token: SeSystemEnvironmentPrivilege	4764	wmic.exe
Token: SeRemoteShutdownPrivilege	4764	wmic.exe
Token: SeUndockPrivilege	4764	wmic.exe
Token: SeManageVolumePrivilege	4764	wmic.exe
Token: 33	4764	wmic.exe
Token: 34	4764	wmic.exe
Token: 35	4764	wmic.exe
Token: 36	4764	wmic.exe
Token: SeIncreaseQuotaPrivilege	4764	wmic.exe
Token: SeSecurityPrivilege	4764	wmic.exe
Token: SeTakeOwnershipPrivilege	4764	wmic.exe
Token: SeLoadDriverPrivilege	4764	wmic.exe
Token: SeSystemProfilePrivilege	4764	wmic.exe
Token: SeSystemtimePrivilege	4764	wmic.exe
Token: SeProfSingleProcessPrivilege	4764	wmic.exe
Token: SeIncBasePriorityPrivilege	4764	wmic.exe
Token: SeCreatePagefilePrivilege	4764	wmic.exe
Token: SeBackupPrivilege	4764	wmic.exe
Token: SeRestorePrivilege	4764	wmic.exe
Token: SeShutdownPrivilege	4764	wmic.exe
Token: SeDebugPrivilege	4764	wmic.exe
Token: SeSystemEnvironmentPrivilege	4764	wmic.exe
Token: SeRemoteShutdownPrivilege	4764	wmic.exe
Token: SeUndockPrivilege	4764	wmic.exe
Token: SeManageVolumePrivilege	4764	wmic.exe
Token: 33	4764	wmic.exe
Token: 34	4764	wmic.exe
Token: 35	4764	wmic.exe
Token: 36	4764	wmic.exe
Token: SeIncreaseQuotaPrivilege	4104	wmic.exe
Token: SeSecurityPrivilege	4104	wmic.exe
Token: SeTakeOwnershipPrivilege	4104	wmic.exe
Token: SeLoadDriverPrivilege	4104	wmic.exe
Token: SeSystemProfilePrivilege	4104	wmic.exe
Token: SeSystemtimePrivilege	4104	wmic.exe
Token: SeProfSingleProcessPrivilege	4104	wmic.exe
Token: SeIncBasePriorityPrivilege	4104	wmic.exe
Token: SeCreatePagefilePrivilege	4104	wmic.exe
Token: SeBackupPrivilege	4104	wmic.exe
Token: SeRestorePrivilege	4104	wmic.exe
Token: SeShutdownPrivilege	4104	wmic.exe
Token: SeDebugPrivilege	4104	wmic.exe
Token: SeSystemEnvironmentPrivilege	4104	wmic.exe
Token: SeRemoteShutdownPrivilege	4104	wmic.exe
Token: SeUndockPrivilege	4104	wmic.exe
Token: SeManageVolumePrivilege	4104	wmic.exe
Token: 33	4104	wmic.exe
Token: 34	4104	wmic.exe
Token: 35	4104	wmic.exe
Token: 36	4104	wmic.exe
Token: SeIncreaseQuotaPrivilege	4104	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2360	3684	a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe	81
PID 3684 wrote to memory of 2360	3684	a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe	81
PID 3684 wrote to memory of 2360	3684	a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe	81
PID 2360 wrote to memory of 4764	2360	rdm.exe	82
PID 2360 wrote to memory of 4764	2360	rdm.exe	82
PID 2360 wrote to memory of 4764	2360	rdm.exe	82
PID 2360 wrote to memory of 4104	2360	rdm.exe	86
PID 2360 wrote to memory of 4104	2360	rdm.exe	86
PID 2360 wrote to memory of 4104	2360	rdm.exe	86
PID 2360 wrote to memory of 1464	2360	rdm.exe	89
PID 2360 wrote to memory of 1464	2360	rdm.exe	89
PID 2360 wrote to memory of 1464	2360	rdm.exe	89
PID 2360 wrote to memory of 3256	2360	rdm.exe	92
PID 2360 wrote to memory of 3256	2360	rdm.exe	92
PID 2360 wrote to memory of 3256	2360	rdm.exe	92
PID 2360 wrote to memory of 3260	2360	rdm.exe	94
PID 2360 wrote to memory of 3260	2360	rdm.exe	94
PID 2360 wrote to memory of 3260	2360	rdm.exe	94

C:\Users\Admin\AppData\Local\Temp\a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a53f4815118baadfc51387f8a813282e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\rdm.exe
  C:\Users\Admin\AppData\Local\Temp\rdm.exe /PID=7302 /SUBPID=0 /NETWORKID=0 /DISTID=1775 /CID=0 /PRODUCT_ID=1694 /SERVER_URL=`omn7).`ar\&b^rp_qrepdfah,`il /CLICKID=1059871846 /D1=16438 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=2 /THANKYOU_URL= /TIME=1405066224 /VM=2 /DS1= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=true
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91718277358.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91718277358.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91718277358.txt bios get version
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91718277358.txt bios get version
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\91718277358.txt bios get version
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 996
    3⤵
    - Program crash
    PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2360 -ip 2360
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91718277358.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\91718277358.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\91718277358.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3FC9.tmp\Convert.dll

Filesize
114KB

MD5
71168aa0e284468f8520b2315b7fac31

SHA1
27079df5784394f0a5d3737f6b0a46bb7770cdfe

SHA256
089da0e59e2ce9eadccd58479e2600e1a7e172b682604a1c980683dea258bd48

SHA512
d975a251f8209e4a0fdeed476f9a1ab9b7a3ba79963d2774ca7fa6f088cd316baeab43bc5652fda49d5960bc2ef6a643800e15669200bfa3ea1d78cd9bb20d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdm.exe

Filesize
790KB

MD5
7c0a67c840e50dc6e13a7a98ffa893af

SHA1
6b542cfbc7afe7951b9edecb2afa0d6f79bd24a6

SHA256
b07f3066bd21aeff8e3e2e9ec487fd69442c5f2151e71c9ca5e424692ae9971e

SHA512
0271da7fbf017d604515cfedf6aad0d891ab52a45ac283d02d099d3245941c9c60f9ac3018ddfd922a635faafb30f32d5dd216aa77030571511eadbd41331f89

Download Submit