2344f935507fd2743f61dac10834a28c446979860a253ffe7ca767396f9e5a99

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
Size

752KB
MD5

b7907608c524b2ab7305b6914250f3cd
SHA1

4533c83fc7e21439649d7ac24cc1125ff277e8a3
SHA256

2344f935507fd2743f61dac10834a28c446979860a253ffe7ca767396f9e5a99
SHA512

5418e70abbdf0b5da05180e28e0c89c4c413394b1f7f7968b872cd8326f6dbabf201312a3995734b147857b3ab60e603965baf684056899ef9c3ac2936ebce0e
SSDEEP

12288:DplQoyhJobtL409HViTEZoQaBTsDMBF5J48Omer1GbEEohwC8AX04zfc8vy4hX:DwojR80KQaEMb5Jnher8XLfAX04g86c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	bedgigfiae.exe

Loads dropped DLL 11 IoCs

pid	Process
2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1056	2340	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2592	wmic.exe
Token: SeSecurityPrivilege	2592	wmic.exe
Token: SeTakeOwnershipPrivilege	2592	wmic.exe
Token: SeLoadDriverPrivilege	2592	wmic.exe
Token: SeSystemProfilePrivilege	2592	wmic.exe
Token: SeSystemtimePrivilege	2592	wmic.exe
Token: SeProfSingleProcessPrivilege	2592	wmic.exe
Token: SeIncBasePriorityPrivilege	2592	wmic.exe
Token: SeCreatePagefilePrivilege	2592	wmic.exe
Token: SeBackupPrivilege	2592	wmic.exe
Token: SeRestorePrivilege	2592	wmic.exe
Token: SeShutdownPrivilege	2592	wmic.exe
Token: SeDebugPrivilege	2592	wmic.exe
Token: SeSystemEnvironmentPrivilege	2592	wmic.exe
Token: SeRemoteShutdownPrivilege	2592	wmic.exe
Token: SeUndockPrivilege	2592	wmic.exe
Token: SeManageVolumePrivilege	2592	wmic.exe
Token: 33	2592	wmic.exe
Token: 34	2592	wmic.exe
Token: 35	2592	wmic.exe
Token: SeIncreaseQuotaPrivilege	2532	wmic.exe
Token: SeSecurityPrivilege	2532	wmic.exe
Token: SeTakeOwnershipPrivilege	2532	wmic.exe
Token: SeLoadDriverPrivilege	2532	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2340	2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2340	2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2340	2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2340	2064	b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2644	2340	bedgigfiae.exe	29
PID 2340 wrote to memory of 2644	2340	bedgigfiae.exe	29
PID 2340 wrote to memory of 2644	2340	bedgigfiae.exe	29
PID 2340 wrote to memory of 2644	2340	bedgigfiae.exe	29
PID 2340 wrote to memory of 2592	2340	bedgigfiae.exe	32
PID 2340 wrote to memory of 2592	2340	bedgigfiae.exe	32
PID 2340 wrote to memory of 2592	2340	bedgigfiae.exe	32
PID 2340 wrote to memory of 2592	2340	bedgigfiae.exe	32
PID 2340 wrote to memory of 2532	2340	bedgigfiae.exe	34
PID 2340 wrote to memory of 2532	2340	bedgigfiae.exe	34
PID 2340 wrote to memory of 2532	2340	bedgigfiae.exe	34
PID 2340 wrote to memory of 2532	2340	bedgigfiae.exe	34
PID 2340 wrote to memory of 2480	2340	bedgigfiae.exe	36
PID 2340 wrote to memory of 2480	2340	bedgigfiae.exe	36
PID 2340 wrote to memory of 2480	2340	bedgigfiae.exe	36
PID 2340 wrote to memory of 2480	2340	bedgigfiae.exe	36
PID 2340 wrote to memory of 3028	2340	bedgigfiae.exe	38
PID 2340 wrote to memory of 3028	2340	bedgigfiae.exe	38
PID 2340 wrote to memory of 3028	2340	bedgigfiae.exe	38
PID 2340 wrote to memory of 3028	2340	bedgigfiae.exe	38
PID 2340 wrote to memory of 1056	2340	bedgigfiae.exe	40
PID 2340 wrote to memory of 1056	2340	bedgigfiae.exe	40
PID 2340 wrote to memory of 1056	2340	bedgigfiae.exe	40
PID 2340 wrote to memory of 1056	2340	bedgigfiae.exe	40

C:\Users\Admin\AppData\Local\Temp\b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7907608c524b2ab7305b6914250f3cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\bedgigfiae.exe
  C:\Users\Admin\AppData\Local\Temp\bedgigfiae.exe 4!0!1!9!1!3!4!7!1!5!4 K1BIOzwuNSw1LhwrU1Q5T0ZANi8bK0pFU05OT0dCQzgtITIvZ3FsYG5ib2pdbWQ0UWJlZmBiYRwvQ0BSUUU9PC0zMzExFy5ART08KxwrUFFGQ1I/TV5EQDkyNTAzMBwoUkBOUkVRVlRPSDZnb3BsOi4mcm9yJ0NAT0ctU0ZPKj1JTylFSkZOFy5ASEJCRkVAPR8mQy45JjAbK0AyPCQwHSs9MjgpLSAuOzM6KSofKkAxPSwoHyxMS04/UT9UXkdRRlI6QlQ5HC9PSU5BUTxTWkFRTEA0HyxMS04/UT9UXkVASkE2HypBVEVeTFFJORkuQFRBX0JEQ0lFR0Q4HCtITkpTXD5LTlJPQVI8LB8sUEFASUdVT1RWVE9INh8qUkk9MRcuQU8qPBsrTlVNS0hKQVhWQEg/T0w8SEo9QERQTkg9HyZIUFtLVElQRU1ENHNvcV4fKk5BVFRJTUZKQF5QT0FSXjtAVk82MRsrRElDPFc6LRkuRE9bRFhFQEpFPF5ASj9SWEdTQkA2ZVxob2UfJkNMU0dLSj1AX0hHPC4sLS0wMioyMiktLy4ZLks9TkFLQ0RJW0JNTlA9TEs0ZV5obGQbK1BJTDw8LjAsNTM1LzUxLB8sQEhWSUhLQUNWU0ZJPjwyKy00LikvLjEjNDUsMToxLClNSQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718611800.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718611800.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718611800.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718611800.txt bios get version
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81718611800.txt bios get version
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81718611800.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7BB6.tmp\bmibiev.dll

Filesize
158KB

MD5
778bd4e89da3d596b82a55ae1f9e36b3

SHA1
c4671f37841d8ff8f54c18e62662815b8a1c1dc4

SHA256
1a0dd64ff176e5fe665c30902ca85e952ecb9191e0e37f20636b50ac12325c07

SHA512
40d8cedb4230d0a7e6eb81ae872f90d1208ddb8836697e3a93e9a0d2d16462ff8870282814d4442d72c1ad04a9647bf840ffadfc9772312edfb1203ff0538a3b

Download Submit
\Users\Admin\AppData\Local\Temp\bedgigfiae.exe

Filesize
1.2MB

MD5
1ab146e73a2223d83d59984b45f8fae6

SHA1
891974c238105aab0a7f55f8ebb3aaf3107c6a5c

SHA256
aa1b3f863bc95956f8ea0b894b9e33971186dc10a8f1632c3a1bcf2947cf88e0

SHA512
831ef5510fdf4dfacba19e33abd8fed98df1ba684952a93a70c6fb31973d5f98727ee06599df35e3908dc2333005e0374eb8e43580271900b5be76dc7d181de8

Download Submit
\Users\Admin\AppData\Local\Temp\nst7BB6.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit