18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5cc28f3f32e7274f13378a724a5ec33a_JaffaCakes118.ps1
Size

389KB
MD5

5cc28f3f32e7274f13378a724a5ec33a
SHA1

32292b4e125287a6567e3879d53d0d8d82bcdf01
SHA256

18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7
SHA512

319c311e01679d8d3d5e4fb140ac993cf00ad8dcd5275dedd43afc652b6f9bac26e56d47fb4f83acfd6447b2f117c24d9d6b7b886d7de9f7438ff3156fbb3ec5
SSDEEP

6144:l2VarLYIHEa7b0Zwsc4/eBaiOANQAgRuKJpUvCaUW:Eat6ZJpUaW

Score

7^/10

execution

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2456	powershell.exe
2764	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe
2764	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2764	2456	powershell.exe	29
PID 2456 wrote to memory of 2764	2456	powershell.exe	29
PID 2456 wrote to memory of 2764	2456	powershell.exe	29
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21
PID 2764 wrote to memory of 1204	2764	powershell.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5cc28f3f32e7274f13378a724a5ec33a_JaffaCakes118.ps1
  2⤵
  - Deletes itself
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file C:\windows\temp\tmp2673.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d35ff22a7af93347587719a6135d22c5

SHA1
f4b83e67feccc4f9b1518974e7887e529cbb1175

SHA256
4fa74dd232a236e3f447524cf0f7a1ee611bf8433adba55b9583eba5a1f684e5

SHA512
9e81d2b8049f84a83d143e43337b8e8b897a8f1c75c87a25b6dee4558260db2dade455f91da3ded268b0c9e4b684b36ad9466fb68bfb2fcb4bfb9669d7da27eb

Download Submit
C:\windows\temp\tmp2673.ps1

Filesize
388KB

MD5
5770776ca526663bd1ca30f0a46f0cc3

SHA1
51a441668fcfdffa689b2314362ebd959be77e95

SHA256
faeebf486c8a2667d9917a4fe8983aa42479ae0a71efd777f6d37bc960796411

SHA512
66d85edc284d4d2d56544ba98bad51331cd687d3e47b095d918ccfd33d1ad5b7bb2ed2adaba24cacebccad36baeaa884381906034929c245ea62c9ed2e21888a

Download Submit
memory/1204-65-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1204-45-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1204-35-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1204-30-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1204-27-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2456-8-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-16-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-15-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-14-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-10-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-4-0x000007FEF632E000-0x000007FEF632F000-memory.dmp

Filesize
4KB

Download
memory/2456-7-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2456-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-22-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-659-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download