Overview

overview

10

Static

static

10

56d604f2e7...18.ps1

windows7-x64

10

56d604f2e7...18.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56d604f2e739f8daef926c6205b499f1_JaffaCakes118.ps1

  • Size

    2KB

  • MD5

    56d604f2e739f8daef926c6205b499f1

  • SHA1

    175fb8f1d97a95f9fb3361fc1a6e7a22b8920556

  • SHA256

    4543a6366a7a6b8a5e393d505b50cbddcf4b5248a021750904fe92c87986cc47

  • SHA512

    c09cdc9ea7970e631a75d939232f168753527c730880e55874446c4f48452cc61f6de72480be7979cd4c95054448412209d126650fcd93f80c9ce0c2be352b0b

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\56d604f2e739f8daef926c6205b499f1_JaffaCakes118.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ufdjxszm\ufdjxszm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53DD.tmp" "c:\Users\Admin\AppData\Local\Temp\ufdjxszm\CSC5DE45A35F02E4A67AA5A928ADADB5E2F.TMP"
        3⤵
          PID:1592

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES53DD.tmp
      Filesize

      1KB

      MD5

      63dbcbfa54998b4b52682ee63e85bd4a

      SHA1

      6e30e716a25b816734d5098aaf4c41539b68eef6

      SHA256

      95c47cfe04227bbdbdd5c12890ff9089df63d7f3c6128c19252152ed5abdfc23

      SHA512

      91475be2ce0aa805d6cab9d58e282ac06029dc7da1fe6973a0e602bb450bd24a652a06fac1f63741d56a0457d2d6fdf5b90aff19316679d67fe4c4e960676696

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jotf1uwe.qf4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ufdjxszm\ufdjxszm.dll
      Filesize

      3KB

      MD5

      5c5567dbf2b42bb34bf6837ad3a335f2

      SHA1

      4e0ed2b515d9c0eb1e8d7e1a09161f405b60efda

      SHA256

      01ab09d13a2c221f480e1426d2b46ba887d22e0523317c66d35e4aa44e1859b7

      SHA512

      8ddb16b043a63a08191d4498bbe5b15f4493b9d70de9f39c02e3a16bfd569337be8ea4bd4348f1e2eb4f9d75ba3d57672e05e286b9c58ea744d6cff65e1c5edf

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ufdjxszm\CSC5DE45A35F02E4A67AA5A928ADADB5E2F.TMP
      Filesize

      652B

      MD5

      17d86a6ee00eec8627de116b9d3da0c3

      SHA1

      54b8aa14452d0aa58d3103057fdbe980fc4767a2

      SHA256

      10c526eaf7e80bbfd0f49a4c08accea765b4c33b866b4b366a58f5856566eb84

      SHA512

      12f5d4bca4bf2dc3d014e59ad07efef68f0a13e870598f306286247c228dc95359e936ed06aba9bfc3be2a92b88fb227b2230b6eee18bb7dda4959d8b3293241

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ufdjxszm\ufdjxszm.0.cs
      Filesize

      565B

      MD5

      7ab331daccdacd5ff29c8e23b747b040

      SHA1

      7140f35b363576f33e646222a01fcddb27cab866

      SHA256

      4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190

      SHA512

      3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ufdjxszm\ufdjxszm.cmdline
      Filesize

      369B

      MD5

      64faae360050cfd81281aeea41671340

      SHA1

      3ae918ada0a3482b8097d18d59990e8597458ff0

      SHA256

      cae7d5fb125da602eca87337c3ce07495ca64fe38396b856db8f920050bf0f82

      SHA512

      d9fec9b096f9a5320785acad23efa9762efd2e4c7841cb7619d7ff1efaa6fd8c1698ed558aa17c64108dea9c99fedfbc84d229a7c85e5196e865ed36cc73b409

      Download Submit
    • memory/3228-11-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3228-12-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3228-0-0x00007FF9EBA33000-0x00007FF9EBA35000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3228-25-0x000002416D270000-0x000002416D278000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3228-1-0x000002416DF60000-0x000002416DF82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3228-27-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3228-28-0x000002416D280000-0x000002416D281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3228-29-0x00007FF9EBA30000-0x00007FF9EC4F1000-memory.dmp
      Filesize

      10.8MB

      Download