1816a9023320b892c54fc1abdc4ba3177ae9ecee4f145efa71d290b357eb1061

General

Target

a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
Size

497KB
MD5

a8db020bc02e6fbcaac5aeb301cdc38e
SHA1

db5088a363771d518572fdf0e9b4c62f70314251
SHA256

1816a9023320b892c54fc1abdc4ba3177ae9ecee4f145efa71d290b357eb1061
SHA512

50eb95130a192ef4c622007cf6075bbbdcddd80b81298136c9f1ccaecf7e2b8f71474e3d2a5de178e81b9a76a54edb1d65a7951992db4c240590f50ed88e7a9b
SSDEEP

384:WRWRQ2wCLNka39k5/8xd9f3K2qIVT4CzztUakZN7llfR:lRMo39k5kxvf3K2LVrtUnR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	MSBuild.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 2152	108	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
108	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2544	2044	WScript.exe	28
PID 2044 wrote to memory of 2544	2044	WScript.exe	28
PID 2044 wrote to memory of 2544	2044	WScript.exe	28
PID 1696 wrote to memory of 2588	1696	taskeng.exe	33
PID 1696 wrote to memory of 2588	1696	taskeng.exe	33
PID 1696 wrote to memory of 2588	1696	taskeng.exe	33
PID 2588 wrote to memory of 108	2588	WScript.exe	35
PID 2588 wrote to memory of 108	2588	WScript.exe	35
PID 2588 wrote to memory of 108	2588	WScript.exe	35
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37
PID 108 wrote to memory of 2152	108	powershell.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn jamqzjc8fk /tr C:\Users\Admin\AppData\Roaming\ym66w.vbs
  2⤵
  - Creates scheduled task(s)
  PID:2544

C:\Windows\system32\taskeng.exe
taskeng.exe {64FA25FF-B908-41EA-AF92-DB8DD78511E9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ym66w.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Users\Admin\AppData\Roaming\MSBuild.exe
      "C:\Users\Admin\AppData\Roaming\MSBuild.exe"
      4⤵
      Executes dropped EXE
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSBuild.exe

Filesize
68KB

MD5
1f13cd7f1ecb2a7bcc1ff5e287b7eb2e

SHA1
8a0cdee8b4dc946a18f5063f2049ab992ee628df

SHA256
6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f

SHA512
b183ccae47db12902fb848fa56fe219992aaaccbf9194e6e9681b63ad1d931528ad4e3f26aa3a5e6182ac51a01f34629034a4c1e3fad510070cf5d682df741a4

Download Submit
C:\Users\Admin\AppData\Roaming\ym66w.vbs

Filesize
3KB

MD5
faa709a80f2a25ec364bc2c50cc69b64

SHA1
a8e6d0b246c269837e770e32479480afad642fa9

SHA256
9125b2874508060b55a10f0f6df7ecc37c8a5546ec6403cf76cdc8a04cdfaa37

SHA512
91c765733bb6c39517b571a010374681cf6e74de9931a9aa1a7413ccec70706f00bf63aadeebde4f74ccf9ad247f7634844eef631f10b463fd9b3eb13cccd2ce

Download Submit
memory/108-6-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/108-7-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/108-8-0x0000000002A00000-0x0000000002A08000-memory.dmp

Filesize
32KB

Download
memory/108-9-0x0000000002B80000-0x0000000002B8A000-memory.dmp

Filesize
40KB

Download
memory/2152-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads