c9b14e04a3dd0f3d145aada5132726f9acd6302a7eab7958e50d5d25b62bf1d6

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe
Size

952KB
MD5

59a124f03e118ef649f0fcdc12c3515d
SHA1

0cde93f866e062b030f2b7d1e6f81c8f939fa761
SHA256

c9b14e04a3dd0f3d145aada5132726f9acd6302a7eab7958e50d5d25b62bf1d6
SHA512

6bd0c47354b139097feaa088b891229e0d97aa75897f04025817bb5ede6cf11283059f3a9f1da48c4ea5a98e48340e027cb1a987070515d7d4e9ef27d3580081
SSDEEP

12288:eD7lxIXgij3qi3MAxGQ3BdOukFfY+F1ldsui3hBTo:eEXjj3qgPGQ3BVkpY+F1ldsui37To

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4748	pwdump.exe
3028	servpw64.exe
668	lsass.exe
4340	cachedump64.exe
548	cachedump64.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	servpw64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\p	cachedump64.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe
3028	servpw64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	servpw64.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
668	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4748	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	85
PID 556 wrote to memory of 4748	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	85
PID 556 wrote to memory of 4748	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	85
PID 3028 wrote to memory of 668	3028	servpw64.exe	7
PID 3028 wrote to memory of 668	3028	servpw64.exe	7
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 556 wrote to memory of 4340	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	87
PID 556 wrote to memory of 4340	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	87
PID 556 wrote to memory of 4340	556	59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe	87
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 4896	668	lsass.exe	82
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 1524	668	lsass.exe	92
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2436	668	lsass.exe	95
PID 668 wrote to memory of 2228	668	lsass.exe	40
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 2828	668	lsass.exe	49
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98
PID 668 wrote to memory of 872	668	lsass.exe	98

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2228

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59a124f03e118ef649f0fcdc12c3515d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\pwdump.exe
  -x -o "C:\Users\Admin\AppData\Local\Temp\127.0.0.1.pwdump" -u "(null)" -p "(null)" 127.0.0.1
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\cachedump64.exe
  -v
  2⤵
  - Executes dropped EXE
  PID:4340

C:\Users\Admin\AppData\Local\Temp\servpw64.exe
C:\Users\Admin\AppData\Local\Temp\servpw64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\cachedump64.exe
"C:\Users\Admin\AppData\Local\Temp\cachedump64.exe" -s
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:548

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe aeaeb17a7fddda9bfee285d9e65e8757 rjbZ+Uwfk0GzjeYQMC3eqg.0.1.0.0.0
1⤵
PID:1524

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2436

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:872

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2388

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1316

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cachedump.exe

Filesize
124KB

MD5
9de5b79050879af333d8a0ec555d6b57

SHA1
645ef72ca81627c351b5e8f9652b7a3399ac815f

SHA256
cf58ca5bf8c4f87bb67e6a4e1fb9e8bada50157dacbd08a92a4a779e40d569c4

SHA512
47f7624155db8f5b5e1b579279f62a402212ccc883f2d7724764a7057d78b099794d5805c2ca7c8a5e53ffaf7fe1122a7773dad464e8a2e7ec00db841357a3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsremora64.dll

Filesize
79KB

MD5
3fed6dc4ba33df1eadcbc50d88dcef7a

SHA1
321056f98ddcb005dd84ddab730175d81f8b6213

SHA256
efa66f6391ec471ca52cd053159c8a8778f11f921da14e6daf76387f8c9afcd5

SHA512
f917d89be3108721530df98221ea9cc268f491b3dbee324c251649969684616b4168cf9629f772a8515cf1e63e1139da30aff874e6d4119429ce12f7dff2014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwdump.exe

Filesize
144KB

MD5
f959f07a120d759ddd1ae4aa9ff32c75

SHA1
91e0b49044f004618ffa777b503f7d392dc660be

SHA256
3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982

SHA512
ac7c9dcb05d4110db39838185b501dda8dbd9ce4ababbfd57f63505649f2df92599a62e995495aac21951ea415091b6d0f7b13a041f5f32937341fba6ae7f4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\servpw64.exe

Filesize
68KB

MD5
981e82f907d1943f3ee06e05aecf7c31

SHA1
bbbfb6a24db8b284117b5af621829086d808cf7d

SHA256
97b39ac28794a7610ed83ad65e28c605397ea7be878109c35228c126d43e2f46

SHA512
3944731d60a0a57a226ce846a54b5ef021757dd983262c1f7e690e6c07608fd96c2551d5d9a3f14da1b80411f1662e14a50306b8601999a2dab3c87ce4d0e5b0

Download Submit
memory/668-19-0x000001EE1ED20000-0x000001EE1ED21000-memory.dmp

Filesize
4KB

Download