608f0026baf16b95de806bfc7efc41dc8be33c7d9b3974e3eb263cb3fca689ed

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe
Size

596KB
MD5

08407f237626cdebd916ebc12bf704aa
SHA1

b453fcbe42473eef1ba4a3e4bc470dc23cd1c394
SHA256

608f0026baf16b95de806bfc7efc41dc8be33c7d9b3974e3eb263cb3fca689ed
SHA512

b0ed994949fc7a13bf22e4615b0d92604fc6899fc4f2554622c0819278d95ec0b2c290f53f3de23dab56602e71876c4ee080caac283f823e7f3c5078cb962265
SSDEEP

12288:1v9quqlGs8yl+eN0FOLI0Gd3TWLZtVIn7bLhbc56C1x:1vnkblrN0FF0GJTsuXLhbTO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3616	dcfcabfcdcac.exe

Loads dropped DLL 2 IoCs

pid	Process
3944	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe
3944	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3436	3616	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcfcabfcdcac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe
Token: 34	5084	wmic.exe
Token: 35	5084	wmic.exe
Token: 36	5084	wmic.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe
Token: 34	5084	wmic.exe
Token: 35	5084	wmic.exe
Token: 36	5084	wmic.exe
Token: SeIncreaseQuotaPrivilege	8	wmic.exe
Token: SeSecurityPrivilege	8	wmic.exe
Token: SeTakeOwnershipPrivilege	8	wmic.exe
Token: SeLoadDriverPrivilege	8	wmic.exe
Token: SeSystemProfilePrivilege	8	wmic.exe
Token: SeSystemtimePrivilege	8	wmic.exe
Token: SeProfSingleProcessPrivilege	8	wmic.exe
Token: SeIncBasePriorityPrivilege	8	wmic.exe
Token: SeCreatePagefilePrivilege	8	wmic.exe
Token: SeBackupPrivilege	8	wmic.exe
Token: SeRestorePrivilege	8	wmic.exe
Token: SeShutdownPrivilege	8	wmic.exe
Token: SeDebugPrivilege	8	wmic.exe
Token: SeSystemEnvironmentPrivilege	8	wmic.exe
Token: SeRemoteShutdownPrivilege	8	wmic.exe
Token: SeUndockPrivilege	8	wmic.exe
Token: SeManageVolumePrivilege	8	wmic.exe
Token: 33	8	wmic.exe
Token: 34	8	wmic.exe
Token: 35	8	wmic.exe
Token: 36	8	wmic.exe
Token: SeIncreaseQuotaPrivilege	8	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3616	3944	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe	82
PID 3944 wrote to memory of 3616	3944	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe	82
PID 3944 wrote to memory of 3616	3944	08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe	82
PID 3616 wrote to memory of 5084	3616	dcfcabfcdcac.exe	83
PID 3616 wrote to memory of 5084	3616	dcfcabfcdcac.exe	83
PID 3616 wrote to memory of 5084	3616	dcfcabfcdcac.exe	83
PID 3616 wrote to memory of 8	3616	dcfcabfcdcac.exe	86
PID 3616 wrote to memory of 8	3616	dcfcabfcdcac.exe	86
PID 3616 wrote to memory of 8	3616	dcfcabfcdcac.exe	86
PID 3616 wrote to memory of 224	3616	dcfcabfcdcac.exe	88
PID 3616 wrote to memory of 224	3616	dcfcabfcdcac.exe	88
PID 3616 wrote to memory of 224	3616	dcfcabfcdcac.exe	88
PID 3616 wrote to memory of 4108	3616	dcfcabfcdcac.exe	90
PID 3616 wrote to memory of 4108	3616	dcfcabfcdcac.exe	90
PID 3616 wrote to memory of 4108	3616	dcfcabfcdcac.exe	90
PID 3616 wrote to memory of 4184	3616	dcfcabfcdcac.exe	92
PID 3616 wrote to memory of 4184	3616	dcfcabfcdcac.exe	92
PID 3616 wrote to memory of 4184	3616	dcfcabfcdcac.exe	92

C:\Users\Admin\AppData\Local\Temp\08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08407f237626cdebd916ebc12bf704aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\dcfcabfcdcac.exe
  C:\Users\Admin\AppData\Local\Temp\dcfcabfcdcac.exe 1-7-2-7-4-5-8-4-3-6-8 LklHPTkrGCtQTzpPQkI2LBsnSkJOT05LSUJAOCgcLD5BUk1HPTkwLDAdKTtIPTspHCpITkw+TUJNXUJAOCgcLE09UU9DS1tQSkg6YmxzaTgoK25qcis+PVJEK01LSyU9TUomSEdESBwqO0hGPUNIPTsZKz8pOTEqLzcxLyocKjwuOjErNBktPS84JS0dKTwzNisqHCo8MTonKR8oTktLP00/UVlIUUJUOj9UNRwsSkpOPVM8UFo9UUk7NR8oTktLP00/UVlGQEZDNk9qXnBNX2plXmFtHCo9VEJZTVFFOxkrQFBBXD1FQ0VHR0E4GCtFSUtTWEBLS1JLQU83LR8oUkE9SUNVTE9XVEtKNhwqTkk6LBguPVEqORsnTlJITEhGQ1hTQEQ/TEc9SEY/QEFQSkg6GidITF1LUUlMRUo/NXNrc14cKkpBUU9KTUJMQFtQS0FPWTxAUlE2LhsnREY+PVc2LxkrREtbQVNGQEZHPFtARj9PU0hTPkI2Ylxkb2IaJ0NIVUdISjlAXENIPCsuMSosKSwrMystKjArHCpMRUo/NTAtMDAuMisuMC4YLj1NUEpHRz1BWUxIRkM2LyoqMSwsKDAuKDE2Ly82Li4iQEY=
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727832472.txt bios get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727832472.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727832472.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727832472.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81727832472.txt bios get version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 952
    3⤵
    - Program crash
    PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3616 -ip 3616
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81727832472.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81727832472.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81727832472.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcfcabfcdcac.exe

Filesize
828KB

MD5
1370880272e6977e5bb6f68f111cfd03

SHA1
05e8dd2e4944b2617547fa123861b0013c135699

SHA256
5d3a331662542d3b30b795cbb9fe18b0cb200078bb4496c369ba0e7855b3fa04

SHA512
a633d2dc4ab18ddc7afb5c2adf1238e695d18819d2815384b6f82508f134f2237e1da09b34434c42959d6ca46fc631f2349f44bb91694529c1e86df1071f0085

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse920F.tmp\jnlux.dll

Filesize
152KB

MD5
0b1a475c07c822fbedd44f9822b1d5d5

SHA1
9eecb7b904311e1f29e8db00c523d1cd03b3c6ac

SHA256
a6a4dccd18e10c3569e0cd74def460a7c9f2f137b5d60b3e9a4636bb3cdbd277

SHA512
05b28b3e732539ed73fa5946992f9d273179dd271b5a0e75772222f6d946fe4870e0a111013b5035b0f70bbb77e336150cc42c183133132f17353093c0fb7712

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse920F.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit