Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1
Resource
win7-20240220-en
General
-
Target
8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1
-
Size
39KB
-
MD5
8d4fc7d9b7f9ae031db6ac350af49861
-
SHA1
a57c563cc8406ef2ea4a8ad94972f039f053026e
-
SHA256
3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796
-
SHA512
900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87
-
SSDEEP
768:f0tIvRpRaIMLwZ7nPU8dKSPhfVJfQD/yLZlWXKwsl:f0CvDgIvZ7nPXKg3JfqaFlR
Malware Config
Extracted
limerat
-
aes_key
pysenuu
-
antivm
false
-
c2_url
https://pastebin.com/raw/smgAS6SG
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/smgAS6SG
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2636 273032370.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
pid Process 1992 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2636 273032370.exe Token: SeDebugPrivilege 2636 273032370.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2636 1992 powershell.exe 29 PID 1992 wrote to memory of 2636 1992 powershell.exe 29 PID 1992 wrote to memory of 2636 1992 powershell.exe 29 PID 1992 wrote to memory of 2636 1992 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\273032370\273032370.exe"C:\Users\Admin\AppData\Local\Temp\273032370\273032370.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b799e179c6512cdea8fc1b60f3ea68e7
SHA1fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33