Overview

overview

10

Static

static

3

3512d08a93...18.exe

windows7-x64

3

3512d08a93...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe

  • Size

    690KB

  • MD5

    3512d08a932b4b8d6ccdc259def8e064

  • SHA1

    420113523781f62428aeb556c35e75da69292177

  • SHA256

    1f8ab348af6cbbe737f5831fd3ff5c1313615ef3c15313e42ca6688ece4a7627

  • SHA512

    c9bdc77688746f62b88a98d88603cdfb7ee63d618368493a39f839c766ee1d2d8c1fc0ab313440491ef30369705c8c10e864c274fba708477c79fcc7910cfece

  • SSDEEP

    12288:Zb7wrmUJeglq/0PwSF0/46I4jlkt4hTF0yhHMLju7Jrn6dYCY3kS5+ZRUk+/KKbw:Zb7wrPJ7lqcY9PJktcp0sz7d+YCYzcEM

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy UnRestricted -NoLogo [System.Reflection.Assembly]::Load([Convert]::FromBase64String([IO.File]::ReadAllText('C:\Users\Admin\NTUSER'))).EntryPoint.Invoke($null,$null);
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\NTUSER
    Filesize

    340KB

    MD5

    7a837a84ff4c1ca8d8604c8fbd104273

    SHA1

    b83d6518e48730bed88066e611a06f01561f8c25

    SHA256

    8253c0a13f03dc521e7e51f2f3a2c1930456f5d544bd56d4138fd677b4eb05db

    SHA512

    3c93820f4db1351df5807510c35c13d2e276b6cf7969936ea4bc30a17e9cf68da22f4d10c5d80a0d60bce6c906c4ac9f75819b3dc2505d6e8f51fc436efd234d

    Download Submit
  • memory/2096-7-0x0000000073B91000-0x0000000073B92000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2096-9-0x0000000073B90000-0x000000007413B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2096-8-0x0000000073B90000-0x000000007413B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2096-10-0x0000000073B90000-0x000000007413B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2096-12-0x0000000073B90000-0x000000007413B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2856-0-0x000000007434E000-0x000000007434F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2856-1-0x00000000000F0000-0x00000000001A2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2856-4-0x0000000074340000-0x0000000074A2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2856-13-0x0000000074340000-0x0000000074A2E000-memory.dmp
    Filesize

    6.9MB

    Download