bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e

Analysis

max time kernel
126s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
Size

435KB
MD5

961954bbc411d4eafd72efad94a6e160
SHA1

0a0e1830d6b2a169527fe61b9111b4171cc5a01f
SHA256

bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e
SHA512

c70698005bd0974ace29ad991b3dd3cae82809a088ba6b090e1b2786bf72f87e5a87493aadab7d0adf4e2929bf7d0edc903154a590f15439543f45af1ad22cdb
SSDEEP

12288:ji8ssa1TX35mrEe0zfGr7c1+GHjcSczuhE:ji8sjTZmrEesbMGDSzu2

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2564	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
836	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	rundll32.exe
2564	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeDebugPrivilege	2564	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
836	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2564	2500	961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2564	2500	961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2564	2500	961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe	30
PID 2564 wrote to memory of 836	2564	rundll32.exe	13
PID 836 wrote to memory of 2724	836	svchost.exe	31
PID 836 wrote to memory of 2724	836	svchost.exe	31
PID 836 wrote to memory of 2724	836	svchost.exe	31

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2724

C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\tmpC1BA.tmp", Install C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tmpC1B9.tmp

Filesize
577KB

MD5
56ba53de2646c5260d6bbe7c2006d275

SHA1
0449eba1d5b0f8b5ef5737429c1b349ff19cfddb

SHA256
e824123c7536555ec609aef31ddefc6ae084db686be7622ecf302390ad2eba5b

SHA512
4fec07c24beef58d8569e5053c55f13ff8b93326310ae1bea714763919bdb3e1988d82d0554739c3c0f36b5b86b24279dfd6d046f00bcdbd5724410cbeed35c9

Download Submit
\Users\Admin\AppData\Roaming\tmpC1BA.tmp

Filesize
59KB

MD5
9885e9981874f3e31272442c355ad1b4

SHA1
beebd86be084943f7f3b55c6e4efea369a0cdf66

SHA256
87f15363566e645ea6ee77e5f3afc1c6bfe4c931ba6aa2a78ffa04328837cbcf

SHA512
ee41e716bd72385036d6214b1db91731354a9ae25b38f8c8fcdc5c298eadafc8d63205211cb30790fa0214f5919176d6c6cb357f2c37c77333211830763ce99c

Download Submit
memory/836-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/836-28-0x000007FEFE9B0000-0x000007FEFE9C0000-memory.dmp

Filesize
64KB

Download
memory/836-29-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-27-0x000007FEFE9B0000-0x000007FEFE9C0000-memory.dmp

Filesize
64KB

Download
memory/836-20-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/836-55-0x00000000011E0000-0x000000000125B000-memory.dmp

Filesize
492KB

Download
memory/2564-6-0x0000000180000000-0x0000000180096000-memory.dmp

Filesize
600KB

Download