76e51e1ab6717d4801544ec69f7e3efb50ea89016b95b0226de07510f572e8f0

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe
Size

662KB
MD5

f02c850801d636cf62d7e23d46b4a553
SHA1

b8fb8b038d536b7357d48513f7fbf437b57b648a
SHA256

76e51e1ab6717d4801544ec69f7e3efb50ea89016b95b0226de07510f572e8f0
SHA512

1f449c20a96781fdb3c06a74523e799377dd780d4ef7a54b5723a5e95d23b6bbe046d5e2785ad94c1f3412d700f60f6106c2849e870899a80d784a71447f0253
SSDEEP

12288:0669C56z4xTu8EtPvIgLNl/vbWtGNBBfc8vy4hO9:0l9YiyEtPPLNF+X86l

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	beecfiifca.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe
1084	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	2988	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beecfiifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5004	wmic.exe
Token: SeSecurityPrivilege	5004	wmic.exe
Token: SeTakeOwnershipPrivilege	5004	wmic.exe
Token: SeLoadDriverPrivilege	5004	wmic.exe
Token: SeSystemProfilePrivilege	5004	wmic.exe
Token: SeSystemtimePrivilege	5004	wmic.exe
Token: SeProfSingleProcessPrivilege	5004	wmic.exe
Token: SeIncBasePriorityPrivilege	5004	wmic.exe
Token: SeCreatePagefilePrivilege	5004	wmic.exe
Token: SeBackupPrivilege	5004	wmic.exe
Token: SeRestorePrivilege	5004	wmic.exe
Token: SeShutdownPrivilege	5004	wmic.exe
Token: SeDebugPrivilege	5004	wmic.exe
Token: SeSystemEnvironmentPrivilege	5004	wmic.exe
Token: SeRemoteShutdownPrivilege	5004	wmic.exe
Token: SeUndockPrivilege	5004	wmic.exe
Token: SeManageVolumePrivilege	5004	wmic.exe
Token: 33	5004	wmic.exe
Token: 34	5004	wmic.exe
Token: 35	5004	wmic.exe
Token: 36	5004	wmic.exe
Token: SeIncreaseQuotaPrivilege	5004	wmic.exe
Token: SeSecurityPrivilege	5004	wmic.exe
Token: SeTakeOwnershipPrivilege	5004	wmic.exe
Token: SeLoadDriverPrivilege	5004	wmic.exe
Token: SeSystemProfilePrivilege	5004	wmic.exe
Token: SeSystemtimePrivilege	5004	wmic.exe
Token: SeProfSingleProcessPrivilege	5004	wmic.exe
Token: SeIncBasePriorityPrivilege	5004	wmic.exe
Token: SeCreatePagefilePrivilege	5004	wmic.exe
Token: SeBackupPrivilege	5004	wmic.exe
Token: SeRestorePrivilege	5004	wmic.exe
Token: SeShutdownPrivilege	5004	wmic.exe
Token: SeDebugPrivilege	5004	wmic.exe
Token: SeSystemEnvironmentPrivilege	5004	wmic.exe
Token: SeRemoteShutdownPrivilege	5004	wmic.exe
Token: SeUndockPrivilege	5004	wmic.exe
Token: SeManageVolumePrivilege	5004	wmic.exe
Token: 33	5004	wmic.exe
Token: 34	5004	wmic.exe
Token: 35	5004	wmic.exe
Token: 36	5004	wmic.exe
Token: SeIncreaseQuotaPrivilege	4820	wmic.exe
Token: SeSecurityPrivilege	4820	wmic.exe
Token: SeTakeOwnershipPrivilege	4820	wmic.exe
Token: SeLoadDriverPrivilege	4820	wmic.exe
Token: SeSystemProfilePrivilege	4820	wmic.exe
Token: SeSystemtimePrivilege	4820	wmic.exe
Token: SeProfSingleProcessPrivilege	4820	wmic.exe
Token: SeIncBasePriorityPrivilege	4820	wmic.exe
Token: SeCreatePagefilePrivilege	4820	wmic.exe
Token: SeBackupPrivilege	4820	wmic.exe
Token: SeRestorePrivilege	4820	wmic.exe
Token: SeShutdownPrivilege	4820	wmic.exe
Token: SeDebugPrivilege	4820	wmic.exe
Token: SeSystemEnvironmentPrivilege	4820	wmic.exe
Token: SeRemoteShutdownPrivilege	4820	wmic.exe
Token: SeUndockPrivilege	4820	wmic.exe
Token: SeManageVolumePrivilege	4820	wmic.exe
Token: 33	4820	wmic.exe
Token: 34	4820	wmic.exe
Token: 35	4820	wmic.exe
Token: 36	4820	wmic.exe
Token: SeIncreaseQuotaPrivilege	4820	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2988	1084	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe	82
PID 1084 wrote to memory of 2988	1084	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe	82
PID 1084 wrote to memory of 2988	1084	f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe	82
PID 2988 wrote to memory of 5004	2988	beecfiifca.exe	83
PID 2988 wrote to memory of 5004	2988	beecfiifca.exe	83
PID 2988 wrote to memory of 5004	2988	beecfiifca.exe	83
PID 2988 wrote to memory of 4820	2988	beecfiifca.exe	86
PID 2988 wrote to memory of 4820	2988	beecfiifca.exe	86
PID 2988 wrote to memory of 4820	2988	beecfiifca.exe	86
PID 2988 wrote to memory of 560	2988	beecfiifca.exe	88
PID 2988 wrote to memory of 560	2988	beecfiifca.exe	88
PID 2988 wrote to memory of 560	2988	beecfiifca.exe	88
PID 2988 wrote to memory of 2724	2988	beecfiifca.exe	90
PID 2988 wrote to memory of 2724	2988	beecfiifca.exe	90
PID 2988 wrote to memory of 2724	2988	beecfiifca.exe	90
PID 2988 wrote to memory of 1644	2988	beecfiifca.exe	92
PID 2988 wrote to memory of 1644	2988	beecfiifca.exe	92
PID 2988 wrote to memory of 1644	2988	beecfiifca.exe	92

C:\Users\Admin\AppData\Local\Temp\f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f02c850801d636cf62d7e23d46b4a553_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\beecfiifca.exe
  C:\Users\Admin\AppData\Local\Temp\beecfiifca.exe 1!0!1!2!9!0!5!6!0!5!4 LlBIQjQwGylTUD5PSUM7JyAqSEVPU05SSkc7PSsaLz9FUlRIQjQwGylDREA8MB8tR1JKPlU+UF5JQzsnICpNRU1SRFJeU0lMOGJ0b2w5Ly5xaXYpPkVORyxUTk4kQUtKLkRKRU8fLTpMRD1LREA8IC5CKD0oKyAqQDE9LC8XLz8tPSgtHy9DMjQtLBovPzE8LTAeJlBNSURQP1NfT1BAVjw9WTgcLlBRTTtVPk5fQFFLQTweJlBNSURQP1NfTT9ERTgaL0BURF9UUEM9GylFU0FeQ0xCQ0lJPz0bK0dPUlJWQk1JV05BUT00HiZUQztORlVOVV5TSUw4Gi9RSTwyHy07Uyw3ICpOVE5TR0RFWlFFRz9OTURHREFCP1VNSDwgLkdKX01PTk9FTEU8cml1YBovTUFTVVFMQE5CWVVOQVFfQz9QUzgsICpESEREVjQxGylJTltDWU0/REk+WUVJP1FZT1I8RDhgYWdvZCAuQkZXSUZPPEBeSU87KTAzKDEsLC05MiwoMi0aL0s9UUFLSjxMWkNOTlBATEs7XWFnbWUbK1NJTEM0MS8uMjEsLzkyMBcvP0lXSUhOQUNdS0lIPz00KzA4LjAnMTAkNjUuNzo0MCFQSA==
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81726935539.txt bios get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81726935539.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81726935539.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:560
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81726935539.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81726935539.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 952
    3⤵
    - Program crash
    PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2988 -ip 2988
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81726935539.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81726935539.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\beecfiifca.exe

Filesize
846KB

MD5
13ca1963b06918e9045ef371552a8736

SHA1
491f58a8ffaea55d0fe52ce14c50fa34760d28ec

SHA256
af5132b5c4bf29db6ea5d6c8d5b6e82f02e9bf984af1697a1bd143186a7e0e21

SHA512
dc4d30893b036b807235526ff474b9bbab1eee6b8d4708adc821fe23d781c02e8a9c7049f9c04359302536f9c3d994bfc7079352e76d64a4fcfbfc652235eb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB603.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB603.tmp\emzqgiq.dll

Filesize
138KB

MD5
b7374abd4bb7e9cf6cdcff86cdfb6294

SHA1
78c0d5ee698005bb40f5562c60e6e17ba553d08c

SHA256
8a2df978b95c5a0404b2a06b4c0e8c95492aebd3fb0bf51e58ee92019aac3b85

SHA512
2909eda51765558189e8c606ce2cfa92d31944c9d5514d8ab3cf77de4963b237993c22720c6ba1292e1bb47da665480c087129780b9c1f84f9d4baeebe2b6c8b

Download Submit