f79b3fb8b11748b9b8a68c316c805366e05f34b9c2bf41814191d03df53522ed | Triage

Sharing

General

Target

34759a7b254af5d435a747330e172602_JaffaCakes118
Size

3KB
Sample

240511-n2ynvaeh2y
MD5

34759a7b254af5d435a747330e172602
SHA1

d0d2d2abc845103bc0655fd6fcc74adc332d34f5
SHA256

f79b3fb8b11748b9b8a68c316c805366e05f34b9c2bf41814191d03df53522ed
SHA512

4662b3e3f21ef000f569acb096f697e074b4425df67c3d3b34611cc65873cd02f17cf80edf5ba2a3b3287bd16e268d262f2f7706de5c275afbffc587e7b5bd72

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1SCyn_ZPahvp66p8IWBybgyebqvi_tKj8

Targets

- Target
  
  34759a7b254af5d435a747330e172602_JaffaCakes118
- Size
  
  3KB
- MD5
  
  34759a7b254af5d435a747330e172602
- SHA1
  
  d0d2d2abc845103bc0655fd6fcc74adc332d34f5
- SHA256
  
  f79b3fb8b11748b9b8a68c316c805366e05f34b9c2bf41814191d03df53522ed
- SHA512
  
  4662b3e3f21ef000f569acb096f697e074b4425df67c3d3b34611cc65873cd02f17cf80edf5ba2a3b3287bd16e268d262f2f7706de5c275afbffc587e7b5bd72
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2