Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1
Resource
win7-20240220-en
General
-
Target
8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps1
-
Size
39KB
-
MD5
8d4fc7d9b7f9ae031db6ac350af49861
-
SHA1
a57c563cc8406ef2ea4a8ad94972f039f053026e
-
SHA256
3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796
-
SHA512
900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87
-
SSDEEP
768:f0tIvRpRaIMLwZ7nPU8dKSPhfVJfQD/yLZlWXKwsl:f0CvDgIvZ7nPXKg3JfqaFlR
Malware Config
Extracted
limerat
-
aes_key
pysenuu
-
antivm
false
-
c2_url
https://pastebin.com/raw/smgAS6SG
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/smgAS6SG
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5104 2142339208.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 pastebin.com 20 pastebin.com -
pid Process 1396 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1396 powershell.exe 1396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 5104 2142339208.exe Token: SeDebugPrivilege 5104 2142339208.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1396 wrote to memory of 5104 1396 powershell.exe 84 PID 1396 wrote to memory of 5104 1396 powershell.exe 84 PID 1396 wrote to memory of 5104 1396 powershell.exe 84
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d4fc7d9b7f9ae031db6ac350af49861_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\2142339208\2142339208.exe"C:\Users\Admin\AppData\Local\Temp\2142339208\2142339208.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b799e179c6512cdea8fc1b60f3ea68e7
SHA1fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82