c3f34fab69c9f02d998500e31402c2ac142b0d209cfd2568619bc9fc0853e5dd

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe
Size

294KB
MD5

22ce3654742c1f02ae5f343878ca71b5
SHA1

e118b7c26d76d7b12a636d33cb1bb5ad9cf2bff6
SHA256

c3f34fab69c9f02d998500e31402c2ac142b0d209cfd2568619bc9fc0853e5dd
SHA512

f224dd0facf37e830a8fade9d9b5932699595e87f7f051debd2dbe2ed02644b9f6f6d69cf3ae29f14798d4d70f8b8094c9d8a30c2b5ee43109803631ecca6fb1
SSDEEP

6144:zzZIhI966AGkAjOpoaY7qAAY27yZniIms+QTf6f:5wq6xGJOpqURypiI3Cf

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\beep.sys	dark.exe
File created	C:\Windows\SysWOW64\drivers\beep.sys	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	dark.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe
2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dark.exe	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dark.exe	dark.exe
File created	C:\Windows\SysWOW64\dark.exe	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2784	dark.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2784	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2784	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2784	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2784	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2696	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2696	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2696	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2696	2932	22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe	29
PID 2784 wrote to memory of 2500	2784	dark.exe	30
PID 2784 wrote to memory of 2500	2784	dark.exe	30
PID 2784 wrote to memory of 2500	2784	dark.exe	30
PID 2784 wrote to memory of 2500	2784	dark.exe	30

C:\Users\Admin\AppData\Local\Temp\22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22ce3654742c1f02ae5f343878ca71b5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\dark.exe
  "C:\Windows\system32\dark.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\dark.exe > nul
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22CE36~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\beep.sys

Filesize
2KB

MD5
5fd668ad46277cc087c14569bd508f7b

SHA1
a401a642806991b49e39a08862fa5d462cf37bb6

SHA256
aeeb1db06947f713973e60e1e87e9d5e0de15904586137b55a37d88925222662

SHA512
51d303862887aec41d04bf1a00c1a43ca6c9f0ec91d2f0736a517250d11840e482c09e63447ec4ebc746b8328881d6fbd17ea401fc54e1044e41816f42175b1c

Download Submit
\Windows\SysWOW64\dark.exe

Filesize
294KB

MD5
22ce3654742c1f02ae5f343878ca71b5

SHA1
e118b7c26d76d7b12a636d33cb1bb5ad9cf2bff6

SHA256
c3f34fab69c9f02d998500e31402c2ac142b0d209cfd2568619bc9fc0853e5dd

SHA512
f224dd0facf37e830a8fade9d9b5932699595e87f7f051debd2dbe2ed02644b9f6f6d69cf3ae29f14798d4d70f8b8094c9d8a30c2b5ee43109803631ecca6fb1

Download Submit
memory/2784-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2784-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2932-16-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-13-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-27-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-26-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-25-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-24-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-23-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-22-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-21-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-20-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-19-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-36-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2932-35-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2932-34-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-33-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-32-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-18-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-17-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2932-15-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-28-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-12-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-14-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-11-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-10-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-9-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2932-7-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2932-6-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2932-5-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2932-4-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2932-3-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2932-2-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/2932-38-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2932-37-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2932-29-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-46-0x0000000003140000-0x0000000003190000-memory.dmp

Filesize
320KB

Download
memory/2932-30-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-31-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2932-52-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/2932-51-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2932-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download