General

  • Target

    65066005250ce7c4bbd85f30f489fb4e_JaffaCakes118

  • Size

    96KB

  • Sample

    240521-2j257sce7y

  • MD5

    65066005250ce7c4bbd85f30f489fb4e

  • SHA1

    32293f80a31c3becb59e28f5187a0bb08c97048f

  • SHA256

    60f0f3880a6decbd6af30198553336bd07529662cbfd3d3d0ef6becc6577ec96

  • SHA512

    96f9091c57af6ca5f7833113f6bbc5847e6c56c53856b3dd8b43d50b4b388ebd4888ef267ac5fe1f3daa7b23da69c3883e48c7171d2cc7cc43cdd456037bb6cd

  • SSDEEP

    1536:oTxjwKZ09cB7y9ghN8+mQ90MTv+a5RNccBW:0xjnB29gb8on7NccBW

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://onlinepcdoc.com/I

exe.dropper

http://royalrentalssd.com/C6

exe.dropper

http://decorstoff.com/qha

exe.dropper

http://eagle6.net/dqqXr

exe.dropper

http://part-timebusiness.org/JepJFhFz

Targets

    • Target

      65066005250ce7c4bbd85f30f489fb4e_JaffaCakes118

    • Size

      96KB

    • MD5

      65066005250ce7c4bbd85f30f489fb4e

    • SHA1

      32293f80a31c3becb59e28f5187a0bb08c97048f

    • SHA256

      60f0f3880a6decbd6af30198553336bd07529662cbfd3d3d0ef6becc6577ec96

    • SHA512

      96f9091c57af6ca5f7833113f6bbc5847e6c56c53856b3dd8b43d50b4b388ebd4888ef267ac5fe1f3daa7b23da69c3883e48c7171d2cc7cc43cdd456037bb6cd

    • SSDEEP

      1536:oTxjwKZ09cB7y9ghN8+mQ90MTv+a5RNccBW:0xjnB29gb8on7NccBW

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

MITRE ATT&CK Enterprise v15

Tasks