d4ef7b92009d4db0978be27b58dc3f4a830d596964ba323d5b757565e2ba2a5e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37e602c075b556227abcc2e6496c9f7a_JaffaCakes118.ps1
Size

2KB
MD5

37e602c075b556227abcc2e6496c9f7a
SHA1

8803cba7987a5b6b0396ef4fe4efc52b70ff6628
SHA256

d4ef7b92009d4db0978be27b58dc3f4a830d596964ba323d5b757565e2ba2a5e
SHA512

c4889fca09e764fb4baab832db4da5c3c19ccca638645af0e43de7d228532b23ac84204bb608127741ff7a673b85aa9dbb83891c945854a1fc4676fdfc536960

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 1296 powershell.exe
7 1296 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2320 powershell.exe
1296 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2320 powershell.exe
1296 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2320 powershell.exe
Token: SeDebugPrivilege 1296 powershell.exe

flow	pid	process
3	1296	powershell.exe
7	1296	powershell.exe

pid	process
2320	powershell.exe
1296	powershell.exe

pid	process
2320	powershell.exe
1296	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2320 wrote to memory of 1296	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 1296	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 1296	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 1296	2320	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\37e602c075b556227abcc2e6496c9f7a_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2R9NJGL30Z9RD0CL00FT.temp
Filesize
7KB

MD5
4666d558466d0c3f3965f40f256a1848

SHA1
673084454e5a228902815a8c6f8e0abf3f72bc39

SHA256
423a0a318e4651b2698bc1658c8b72d2b1bfc83787d8b7e4bdc93f146b983c92

SHA512
4271b79301ff5a7dfb62252fe10ffc0a7afce8058d18bf9c8fe9b2df2f776106f0fe0e5e67515a552e6781f3cf448b7f5d7874017ddba7b4a8028f4d034bff8c

Download Submit
memory/2320-12-0x0000000002A70000-0x0000000002AA2000-memory.dmp

Filesize
200KB

Download
memory/2320-7-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2320-8-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-9-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-10-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2320-4-0x000007FEF481E000-0x000007FEF481F000-memory.dmp

Filesize
4KB

Download
memory/2320-11-0x0000000002A70000-0x0000000002AA2000-memory.dmp

Filesize
200KB

Download
memory/2320-15-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-16-0x000007FEF481E000-0x000007FEF481F000-memory.dmp

Filesize
4KB

Download
memory/2320-17-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-18-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-19-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-22-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

Filesize
9.6MB

Download