Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 03:18
Behavioral task
behavioral1
Sample
4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps1
Resource
win10v2004-20240226-en
General
-
Target
4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps1
-
Size
194KB
-
MD5
4bbc7c53d45152aa23d2d3f4322ed490
-
SHA1
5508b012ff7ef2b34375f3a4b3067dbbfb4a453d
-
SHA256
fbd7a548c9687bd0a74f905b03cedb8072717c67b04ddd05418f2f9cbb7076ac
-
SHA512
ffb032a143e14215e6417d8f317958c0e18e4fbf99a940f4a07221590831a9e9d8f3202e4938593f9e2be30ad479cabec6e2fc90e76bc0d93a9d26d8d7a9631a
-
SSDEEP
3072:xKngySVRgypwBolhfJv0DO/sUy2T9QOcH9cHUD1lv9LGbIVu5kqKtjOt0BZ:xtNnXNXfJv0DWyP9SUhgGhA07
Malware Config
Extracted
cobaltstrike
0
http://auditsecuritybusworld.com:443/jquery-3.3.1.min.js
http://213.227.155.246:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
auditsecuritybusworld.com,/jquery-3.3.1.min.js,213.227.155.246,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1532 powershell.exe 6 1532 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2220 powershell.exe 1532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 2220 wrote to memory of 1532 2220 powershell.exe powershell.exe PID 2220 wrote to memory of 1532 2220 powershell.exe powershell.exe PID 2220 wrote to memory of 1532 2220 powershell.exe powershell.exe PID 2220 wrote to memory of 1532 2220 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4bbc7c53d45152aa23d2d3f4322ed490_JaffaCakes118.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABULV888I8E4MG888A0A.tempFilesize
7KB
MD50aac5a96ddc822728b8566040338a62c
SHA13fcec60503d1456688731c792459c328a98fbf11
SHA2561f3a192fba23aec57979485ff6cc09f8b0a4a6396c977b89fe3576373713a6cd
SHA51271deb96b255ccb5e759a0fcacd68b74905a59536141aa7859eaa4df808661369708217d90f106b12ab33ca5732ed2b64034e1ce3e143de912efc71122452d81d
-
memory/1532-23-0x0000000005430000-0x00000000058A2000-memory.dmpFilesize
4.4MB
-
memory/1532-32-0x00000000026D0000-0x0000000002710000-memory.dmpFilesize
256KB
-
memory/1532-31-0x00000000026D0000-0x0000000002710000-memory.dmpFilesize
256KB
-
memory/1532-30-0x0000000073D90000-0x000000007433B000-memory.dmpFilesize
5.7MB
-
memory/1532-29-0x0000000073D90000-0x000000007433B000-memory.dmpFilesize
5.7MB
-
memory/1532-18-0x00000000026D0000-0x0000000002710000-memory.dmpFilesize
256KB
-
memory/1532-21-0x0000000005320000-0x0000000005354000-memory.dmpFilesize
208KB
-
memory/1532-20-0x0000000005430000-0x00000000058A2000-memory.dmpFilesize
4.4MB
-
memory/1532-19-0x00000000026D0000-0x0000000002710000-memory.dmpFilesize
256KB
-
memory/1532-34-0x0000000005320000-0x0000000005354000-memory.dmpFilesize
208KB
-
memory/1532-16-0x0000000073D90000-0x000000007433B000-memory.dmpFilesize
5.7MB
-
memory/1532-17-0x0000000073D90000-0x000000007433B000-memory.dmpFilesize
5.7MB
-
memory/2220-11-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-25-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmpFilesize
9.6MB
-
memory/2220-12-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-4-0x000000001B330000-0x000000001B612000-memory.dmpFilesize
2.9MB
-
memory/2220-22-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmpFilesize
9.6MB
-
memory/2220-10-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmpFilesize
9.6MB
-
memory/2220-24-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-13-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-27-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-26-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-28-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-9-0x00000000026E0000-0x0000000002712000-memory.dmpFilesize
200KB
-
memory/2220-8-0x00000000026E0000-0x0000000002712000-memory.dmpFilesize
200KB
-
memory/2220-7-0x0000000002AC0000-0x0000000002B40000-memory.dmpFilesize
512KB
-
memory/2220-6-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmpFilesize
9.6MB
-
memory/2220-5-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB