2309210f2738a199758633ad4f83895083c78b42660bfa5a2e9979f263556d70

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
Size

695KB
MD5

cfe3f8d7c5ea48a32aa1f078d50a045a
SHA1

94d4c581d584763e71181520977ccbadc8b986df
SHA256

2309210f2738a199758633ad4f83895083c78b42660bfa5a2e9979f263556d70
SHA512

61324e819b7c37f326e03eba0a14f4da5b1f9d2aeafd153af6ce583f7066336d8317f9760743df7589edd693d3fb571700c97f0bbd37ff676186ae6427f6e6ac
SSDEEP

12288:Z5DHkHVp/ROGY4ZWqHKgvIsfvFqSAmvPtl+T8iYMZN9NbMeYA3wbIrICxd1y:Z5culmKgvn5AmvjoHN9NbMeBDa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	1432242082.exe

Loads dropped DLL 11 IoCs

pid	Process
2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	2340	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1432242082.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2144	wmic.exe
Token: SeSecurityPrivilege	2144	wmic.exe
Token: SeTakeOwnershipPrivilege	2144	wmic.exe
Token: SeLoadDriverPrivilege	2144	wmic.exe
Token: SeSystemProfilePrivilege	2144	wmic.exe
Token: SeSystemtimePrivilege	2144	wmic.exe
Token: SeProfSingleProcessPrivilege	2144	wmic.exe
Token: SeIncBasePriorityPrivilege	2144	wmic.exe
Token: SeCreatePagefilePrivilege	2144	wmic.exe
Token: SeBackupPrivilege	2144	wmic.exe
Token: SeRestorePrivilege	2144	wmic.exe
Token: SeShutdownPrivilege	2144	wmic.exe
Token: SeDebugPrivilege	2144	wmic.exe
Token: SeSystemEnvironmentPrivilege	2144	wmic.exe
Token: SeRemoteShutdownPrivilege	2144	wmic.exe
Token: SeUndockPrivilege	2144	wmic.exe
Token: SeManageVolumePrivilege	2144	wmic.exe
Token: 33	2144	wmic.exe
Token: 34	2144	wmic.exe
Token: 35	2144	wmic.exe
Token: SeIncreaseQuotaPrivilege	2144	wmic.exe
Token: SeSecurityPrivilege	2144	wmic.exe
Token: SeTakeOwnershipPrivilege	2144	wmic.exe
Token: SeLoadDriverPrivilege	2144	wmic.exe
Token: SeSystemProfilePrivilege	2144	wmic.exe
Token: SeSystemtimePrivilege	2144	wmic.exe
Token: SeProfSingleProcessPrivilege	2144	wmic.exe
Token: SeIncBasePriorityPrivilege	2144	wmic.exe
Token: SeCreatePagefilePrivilege	2144	wmic.exe
Token: SeBackupPrivilege	2144	wmic.exe
Token: SeRestorePrivilege	2144	wmic.exe
Token: SeShutdownPrivilege	2144	wmic.exe
Token: SeDebugPrivilege	2144	wmic.exe
Token: SeSystemEnvironmentPrivilege	2144	wmic.exe
Token: SeRemoteShutdownPrivilege	2144	wmic.exe
Token: SeUndockPrivilege	2144	wmic.exe
Token: SeManageVolumePrivilege	2144	wmic.exe
Token: 33	2144	wmic.exe
Token: 34	2144	wmic.exe
Token: 35	2144	wmic.exe
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe
Token: 33	2740	wmic.exe
Token: 34	2740	wmic.exe
Token: 35	2740	wmic.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2340	2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2340	2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2340	2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2340	2376	cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2144	2340	1432242082.exe	31
PID 2340 wrote to memory of 2144	2340	1432242082.exe	31
PID 2340 wrote to memory of 2144	2340	1432242082.exe	31
PID 2340 wrote to memory of 2144	2340	1432242082.exe	31
PID 2340 wrote to memory of 2740	2340	1432242082.exe	34
PID 2340 wrote to memory of 2740	2340	1432242082.exe	34
PID 2340 wrote to memory of 2740	2340	1432242082.exe	34
PID 2340 wrote to memory of 2740	2340	1432242082.exe	34
PID 2340 wrote to memory of 2904	2340	1432242082.exe	36
PID 2340 wrote to memory of 2904	2340	1432242082.exe	36
PID 2340 wrote to memory of 2904	2340	1432242082.exe	36
PID 2340 wrote to memory of 2904	2340	1432242082.exe	36
PID 2340 wrote to memory of 2344	2340	1432242082.exe	38
PID 2340 wrote to memory of 2344	2340	1432242082.exe	38
PID 2340 wrote to memory of 2344	2340	1432242082.exe	38
PID 2340 wrote to memory of 2344	2340	1432242082.exe	38
PID 2340 wrote to memory of 2160	2340	1432242082.exe	40
PID 2340 wrote to memory of 2160	2340	1432242082.exe	40
PID 2340 wrote to memory of 2160	2340	1432242082.exe	40
PID 2340 wrote to memory of 2160	2340	1432242082.exe	40
PID 2340 wrote to memory of 2224	2340	1432242082.exe	42
PID 2340 wrote to memory of 2224	2340	1432242082.exe	42
PID 2340 wrote to memory of 2224	2340	1432242082.exe	42
PID 2340 wrote to memory of 2224	2340	1432242082.exe	42

C:\Users\Admin\AppData\Local\Temp\cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfe3f8d7c5ea48a32aa1f078d50a045a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\1432242082.exe
  C:\Users\Admin\AppData\Local\Temp\1432242082.exe 6]3]5]3]4]8]5]1]7]6]5 KU1EQTkrKzErGipNUj1NRTw4LxkpST9RUkxOQ0RDNiobKUFEUFBBPzwrKi0zNBssP0E/PCkaKkpPSkFRO09eQj44KzM0MRwnTkRLUEBMXFBPSDVjc21qNSksbm9yJj9ETEUoTkxLKj1ISy1CSEFJHSpASEE+SkI+OHFKR00tPjRNT0o8KlJGRUUoPEk+QTI8RhssQCk4Mi8vLy8vGyxAKjgsKhoqPjA4Ki0YKkMtNygrHSpBMTUoMBkpS0xMP1I/TFpPS0NRO0BUOhwnS1FIPlA9UVpCUUQ8PBkpS0xMP1I/TFpNOkdANx0qQlQ9WlRLRjgaLEBVQVc+TD1GREhCOB0rQEpSTVk9TExSUEFKOC8ZKU9CPklIVUdQXk5MRzcdKlNJNS0fKD5OKzobLE5NSVNCR0BZVEBJP0dIREJHPEFCUE9INRsuQk1aTFJJUUVFQDxtbHBfHSpPQUxQUUdDSUFcUFBBSlpDOlNONy8bLERBP0RRNywaLERQWzxUTTpHRD1cQEs/SlRPTT8/N2NcaW9dGy49SVJISUo+QFdETzYrMjArLDYvJiw4LigtKy8bLFBBSEQ2Ky8tLy0yLS4sMhkpP0lUSUlLOT9eTUNIPzowLC4pKjEpKzAkLiw3MCg1MCwkS0cdKlI9NUhuc2NnZl4gL2ItKS8kIl5pamtecGFda14fLlwoSFBFPSY4JyogLV8mVGVmX25wbSZIUSYzKikgMlslT2xmX2JqbCAxXy8pKiYbLFFKRzxhbm9qIi5eISphJCtgYl9xLCssKSwwXV9uY2RpK2VmYW4eLGFMcmlRZWVgQ2hxaWZsXGFJWWlgYF9tWWFgbWhndCQrYCwuMC0vMSkxMSkfLWBhanRqZGpgXWdcaF5iYm4dLWUqLi4sLzAuMiorJCxgLS0wLjUuMTQ3MjFVUUdzSWY5NFlzS21Edm50RSpANURjL2pKPjVgUk9ybkd1U3BFRFEoRkEqXkd0bHJKdSh0SzxlYFF2bjRHYS9pUT5AKkc+aGBQT0gvRWQuYlRmcyhFUmBgVUFXa1ZpUmFZP3EsW2kwdl9lK2lQLGthVGhLY1BPcylNZmZGR3csb01qKkRLcy5OUEE6Q0lzYj5KQjwuTChUaVJRQWdXT1Jr
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81725637728.txt bios get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81725637728.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81725637728.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81725637728.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81725637728.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81725637728.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
\Users\Admin\AppData\Local\Temp\1432242082.exe

Filesize
1021KB

MD5
eda3482f6461c35abebb74ba4e2b540d

SHA1
768c578c1ec43a79e257e420acf22b161701e4b1

SHA256
daf2b92b9eaeb79767d5558541736e77af6337be797815626d7c3c928c2632a0

SHA512
dfd42f39df785b43263f7cf80e8c93c6812a12bdf7e82833a2ad63dedf9d3896cbdc169efbef683a6f527a271186da846e545909c8fc5d32c53ba4ae69aca6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nso92BF.tmp\jtbtjyt.dll

Filesize
158KB

MD5
50717a3c230f7e5d92695291df9541c1

SHA1
5fca1d6d65bff01d9bb8ac82f0fb696dcfa51b4b

SHA256
c96ed31b77fd2f24435c2b3c9aa65b46fe05070660d6ee053bc03a8c5e547d71

SHA512
8e8fbcdd400ece291021a5bcbf50b693f3e122e28930539577035fabe5ad2f1ee1965349208bb17a9015c42210c3d1a20fbdc7c10f922eb213bbfbf716d9218f

Download Submit
\Users\Admin\AppData\Local\Temp\nso92BF.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit