cc1b7a296f9457846965d869693f4fc1b6236cee1f16b205b6bce81de0302003

Analysis

max time kernel
89s
max time network
90s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 10:46

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe
Size

396KB
MD5

415b876ace64ccc3517ae8ac8e251f85
SHA1

3d1b6dd354d328202a2c478898a6ac0d2335a1fd
SHA256

cc1b7a296f9457846965d869693f4fc1b6236cee1f16b205b6bce81de0302003
SHA512

72148751c0629d017f49d9a2ea7e9267dbc4bb12975264c3e93fbd3c37bbf0bb5555bda8fdb8c3df0fc203ac80d1a3362d2af73895694afeda2df91b0631344d
SSDEEP

6144:jUciC5MDPcclzsot++CDAYboatoQ9ZCykzuhRZT3MnPIGiwE8YtTQ9wnR0w6xA07:3iC5APccy7AWEiZWPI5xQ9ERAxX7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
2568	taskkill.exe
1948	taskkill.exe
536	taskkill.exe
3016	taskkill.exe
2136	taskkill.exe
1160	taskkill.exe
2084	taskkill.exe
2400	taskkill.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeShutdownPrivilege	1560	shutdown.exe
Token: SeRemoteShutdownPrivilege	1560	shutdown.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2136	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2136	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2136	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2136	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	30
PID 1028 wrote to memory of 1160	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	31
PID 1028 wrote to memory of 1160	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	31
PID 1028 wrote to memory of 1160	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	31
PID 1028 wrote to memory of 1160	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2084	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2084	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2084	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2084	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2400	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	33
PID 1028 wrote to memory of 2400	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	33
PID 1028 wrote to memory of 2400	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	33
PID 1028 wrote to memory of 2400	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	33
PID 1028 wrote to memory of 2568	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	34
PID 1028 wrote to memory of 2568	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	34
PID 1028 wrote to memory of 2568	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	34
PID 1028 wrote to memory of 2568	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	34
PID 1028 wrote to memory of 1948	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	38
PID 1028 wrote to memory of 1948	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	38
PID 1028 wrote to memory of 1948	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	38
PID 1028 wrote to memory of 1948	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	38
PID 1028 wrote to memory of 536	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	39
PID 1028 wrote to memory of 536	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	39
PID 1028 wrote to memory of 536	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	39
PID 1028 wrote to memory of 536	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	39
PID 1028 wrote to memory of 3016	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	40
PID 1028 wrote to memory of 3016	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	40
PID 1028 wrote to memory of 3016	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	40
PID 1028 wrote to memory of 3016	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	40
PID 1028 wrote to memory of 1560	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	49
PID 1028 wrote to memory of 1560	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	49
PID 1028 wrote to memory of 1560	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	49
PID 1028 wrote to memory of 1560	1028	415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe	49

C:\Users\Admin\AppData\Local\Temp\415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\415b876ace64ccc3517ae8ac8e251f85_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgas.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im guard.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im aavgapi.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgtray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgwdsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgrsx.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgcmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f /im avgfrw.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -f -t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:784

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1028-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1028-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download