cc1374988d0643bf146b3553c6f2879417a3683c000095e4df5bc839af1192f7

Analysis

max time kernel
20s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 10:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Size

47KB
MD5

6029ffbf6490fa90fe5ec529c5c178e3
SHA1

9a77d2f18670607ba99c0b8d68a552bb4b75857b
SHA256

cc1374988d0643bf146b3553c6f2879417a3683c000095e4df5bc839af1192f7
SHA512

b7d63d5cd189b3654f535595cd7473de55664669736b404554c62171f1daa85082954db1f873da4dbd77d74f0d77717fe9a522d6a19b26280361df71d3664f89
SSDEEP

768:iAHYjqn/Ch3fRtQVE1oLG9EIK1aDD0yz9PkMpEIifI4IXyuQNTPkn:50hJyVE1t9ytg9PmpmyuQNT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	259541577.exe

Loads dropped DLL 11 IoCs

pid	Process
1972	rundll32.exe
1972	rundll32.exe
1972	rundll32.exe
1972	rundll32.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
2756	259541577.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259541577.exe	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\fonts\pci.sys	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	2756	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
1972	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
Token: SeDebugPrivilege	1972	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 1972	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	29
PID 560 wrote to memory of 2756	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	30
PID 560 wrote to memory of 2756	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	30
PID 560 wrote to memory of 2756	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	30
PID 560 wrote to memory of 2756	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2792	2756	259541577.exe	31
PID 2756 wrote to memory of 2792	2756	259541577.exe	31
PID 2756 wrote to memory of 2792	2756	259541577.exe	31
PID 2756 wrote to memory of 2792	2756	259541577.exe	31
PID 560 wrote to memory of 2676	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	32
PID 560 wrote to memory of 2676	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	32
PID 560 wrote to memory of 2676	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	32
PID 560 wrote to memory of 2676	560	6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6029ffbf6490fa90fe5ec529c5c178e3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\259536632.dll testall
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\259541577.exe
  "C:\Windows\system32\259541577.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 212
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kl78a.bat" "
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.ca

Filesize
70B

MD5
f7e97e452ebf2e5d1858752e5e51156a

SHA1
ae908c2a8c2e670a425a7aad807f5e40d8f42335

SHA256
94d55dff4eb41cfd8b5ca832b6ecb3f9c6bcf7d96cb84ae24a6496d015511b59

SHA512
3515fc78e868d7a05db3a9f77c2459d9b573d25a9d718335b820becbc296232123f60acb17b5ddc560b259b88caa4eed05e0f77ad4719f07647b7d28df9f7af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\259536632.dll

Filesize
14KB

MD5
962cab8783e4346bf2fd5ac1530a820e

SHA1
e5fa0795fafc737f13746ef09b63549bf965a627

SHA256
d443d789343c7509885062da36ca881c436bb4a0ff2e1facde138727b5c5699a

SHA512
5047c747925f6fc792b6929d19706fed5517a002a8bbf5a7c69d3142e5614b80b53c02b585846002a17e8433cf7c415852bda4abeaa77745c4048c376c6301af

Download Submit
C:\Users\Admin\AppData\Local\Temp\kl78a.bat

Filesize
2KB

MD5
73754e18bb6184d49a8a972003d80beb

SHA1
cf9739daf83c046e7cc9e04592b427207009054d

SHA256
36ba1b449364cc36fdef110d741c78ce0af780074ef071d322f84608fe92af9f

SHA512
671546228704335760eb50ad8a993de9c0a4a9d4a591a67b2e260862ca8af3782990f5c69c33af1091cb5ae09b7dce21eba10ab09acbec57244aa1b626475bd7

Download Submit
C:\Windows\SysWOW64\259541577.exe

Filesize
12KB

MD5
492f4da40600c6c7103feb17292522e2

SHA1
b0f863ce8e4bee124e92b4845420040a0a86255d

SHA256
8b3875b387f5e8d0c06e285c2f28e01a62665313f56a2e3f46a89600a8ce58d8

SHA512
a5e9ee4dfed4fdf5c08e593073f6aed83b1606929482893a6fc248df212ac69924b3d91607a5e637fe100dee6429c132f0845f03ce6a94a36c8915bc0e10b165

Download Submit
\Users\Admin\AppData\Local\Temp\ope4B04.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
memory/560-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/560-41-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1972-7-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1972-5-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1972-9-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1972-10-0x0000000010001000-0x0000000010002000-memory.dmp

Filesize
4KB

Download