Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-04-2024 11:59
General
-
Target
19317da5733e40de48774b836f81b6edd83a60976ef180b6e796928399cee1c3.ps1.jaffacakes118.ps1
-
Size
9.0MB
-
MD5
c867dbeca2907417d58f0bfb4de699d6
-
SHA1
fa942ea34e59c938d9c307a9c5054118b21fa699
-
SHA256
19317da5733e40de48774b836f81b6edd83a60976ef180b6e796928399cee1c3
-
SHA512
2658decfca16f085932c43ee6397cb449ab7ecf041d2c46630a5fdb3075c21eb9e5836ddb2e9018f4aac99f68ba9a1c3e19973da5c9ca58fc9bb2f7278b557e5
-
SSDEEP
24576:sEAjJLSsZ05S8PllqWR4Q4/YVwCxCpMt8JNim5irz5aRt5vQZUZMc7JS0Ccn3ban:W8RVkwoFZ0qQpynBV
Malware Config
Extracted
asyncrat
Default
91.92.252.234:3232
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Async RAT payload 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\19317da5733e40de48774b836f81b6edd83a60976ef180b6e796928399cee1c3.ps1.jaffacakes118.ps12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
-
C:\Windows\System32\chcp.comchcp 650014⤵
-
C:\Windows\System32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\System32\findstr.exefindstr All4⤵
-
C:\Windows\System32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
-
C:\Windows\System32\chcp.comchcp 650014⤵
-
C:\Windows\System32\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\Browsers\Mozilla\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\System\Process.txtFilesize
1KB
MD56ae44e20a24e06324c97280c0dda5664
SHA163414b5c778bd07021e696e0884317177782f118
SHA256340df6842423e1f00143da7e6f51a6eccabb685c3616b53b373e1273f4fd66da
SHA51256eebb4e6afe57b13ddc4d2dc4947806224ba38ac5deba0842ae426c54f502b8f6ec1f20ddd0755b3591850805a18656f0784b048dc3375bd061e1cfaf5a0455
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\System\Process.txtFilesize
2KB
MD52392a42fe267e51e4efda3e5255d2447
SHA1d05d5d44968774a916b8547f03cedc34aa854392
SHA256c4980ce991c29c9cbcee9f42b5bc4e8b73307884da076c7ccd17f7617af550a8
SHA51200172ca843c8a1f3800f7acf729ab4e7fc4fcba3689b3a8773e19ca9a4819e4268e0343908715dc93a7db54576b8f812059e92ac4d73292e96241b5556c11ce3
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\System\Process.txtFilesize
3KB
MD54a63f584c9c28b7c741a3a763f663381
SHA1385e1a4c96b21009f9cabfcf9f10f1088e4ebdff
SHA2565890faf24abb99189318d83ba9997b53c022931bf27b839b3c429b80f8e647e0
SHA51272cfffa538090a69bccb3babb6739ea28d761ab6907c658c88b6b2568147dcfe841fa192c57f8867c5a1846a711a6ab8c356c2e5615833ff5b167073e5cf7a57
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\System\Process.txtFilesize
5KB
MD596559bc4c8d677d9ff19c21aa4b83a44
SHA17b2abc9792929c1277c05d8fd0ed660952935586
SHA256750bb59af0881d9678a347f771e2177f809046ce5b6f369773da22440a563b06
SHA5123abe7c10416763535fd740f02696c6973107991b737bb893a515566f9f977764820fae5af431ab0870af88bb0d6a42485867688ef84d18949f537c6216938783
-
C:\Users\Admin\AppData\Local\1be0f094029f23c1b391c1aef01b0888\Admin@OAILVCNY_en-US\System\Process.txtFilesize
643B
MD50f9245c9f1487ca08c95a555e196b274
SHA1521f261f32acd90c1dd7f4e0c1473d1941ca2924
SHA2567bd5d5b8752b6c2bffb07cb4ddb11205623c0e671bcc5f0a6b6ce4e3f65f34be
SHA512c35ed4da5a976871d6384f6aebf82608fe4444d6b64a988af27a393d89ff45a7569733d79354e56e72b238fff3deb4d7f4de33c0f15dce7b14befd11573bc2ed
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3oc15ci.5mf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/964-32-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB
-
memory/964-40-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-17-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB
-
memory/964-238-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-19-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-20-0x000002E3106F0000-0x000002E310706000-memory.dmpFilesize
88KB
-
memory/964-237-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-202-0x000002E32A630000-0x000002E32A6AA000-memory.dmpFilesize
488KB
-
memory/964-189-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-24-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-188-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-187-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmpFilesize
2.0MB
-
memory/964-29-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmpFilesize
2.0MB
-
memory/964-44-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/964-33-0x000002E32A280000-0x000002E32A2F6000-memory.dmpFilesize
472KB
-
memory/964-34-0x000002E32A300000-0x000002E32A488000-memory.dmpFilesize
1.5MB
-
memory/964-35-0x000002E3108D0000-0x000002E3108EE000-memory.dmpFilesize
120KB
-
memory/964-16-0x000002E30EA90000-0x000002E30EAA6000-memory.dmpFilesize
88KB
-
memory/964-41-0x000002E310900000-0x000002E31090A000-memory.dmpFilesize
40KB
-
memory/964-42-0x000002E3108F0000-0x000002E310900000-memory.dmpFilesize
64KB
-
memory/1596-10-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB
-
memory/1596-15-0x000001817E7E0000-0x000001817E83B000-memory.dmpFilesize
364KB
-
memory/1596-14-0x000001817BEC0000-0x000001817BF1A000-memory.dmpFilesize
360KB
-
memory/1596-11-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-13-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-12-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-5-0x000001817E5E0000-0x000001817E602000-memory.dmpFilesize
136KB
-
memory/1596-28-0x000001817E7E0000-0x000001817E83B000-memory.dmpFilesize
364KB
-
memory/1596-27-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB
-
memory/1596-23-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-21-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-22-0x000001817C4C0000-0x000001817C4D0000-memory.dmpFilesize
64KB
-
memory/1596-18-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmpFilesize
10.8MB