Analysis Overview
SHA256
2abd76236a99fa1e52fee20ea374fc2fe798ba45fec3423855f1a3628df0966b
Threat Level: Known bad
The file adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Metasploit family
MetaSploit
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 09:38
Signatures
Metasploit family
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 09:38
Reported
2024-06-15 09:41
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3428 wrote to memory of 2444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3428 wrote to memory of 2444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 2444 wrote to memory of 3456 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 2444 wrote to memory of 3456 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6179.tmp" "c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\CSCF2117C0233864825ACE5531FCE171FAB.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.225:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 225.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/3428-0-0x00007FF9F28E3000-0x00007FF9F28E5000-memory.dmp
memory/3428-6-0x000001DCED070000-0x000001DCED092000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_perpiatj.35c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3428-11-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp
memory/3428-12-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.cmdline
| MD5 | ee533639df9c04d0bc09d590a91422ca |
| SHA1 | 8f290378d469da30c361c2b0504dd210bd3d9674 |
| SHA256 | 1e857685814b162832dfdbbba6b09df00cf4937bfb1c63c807d9db7fb9ea28a1 |
| SHA512 | dcac50f3b99e1c48fe20fc6cb76717160e46625ddbbaa9a159647c35b4839ead550e2689b58e3dca1653c7200d62b593fc731e3a7c599887b92fa60f7f9b5dbb |
\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.0.cs
| MD5 | 7ab331daccdacd5ff29c8e23b747b040 |
| SHA1 | 7140f35b363576f33e646222a01fcddb27cab866 |
| SHA256 | 4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190 |
| SHA512 | 3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395 |
\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\CSCF2117C0233864825ACE5531FCE171FAB.TMP
| MD5 | 12b9c70960b34392f9960cc4ad7e47ca |
| SHA1 | 81bbd6e894d00e3e34d40c174c7b0336447b7d9c |
| SHA256 | 6e5013557c0a5690cc598ac764d97643e22feecd3b1104d774a2301e77385ea2 |
| SHA512 | c6b777f4930cca514b15843b1a14656fe949f0d5b95912fd4d251ecf7c00a4b920e5c841c61cd71068f85c3a34eb2a8a6db3680319d7cb9e35ce97be02e6ec10 |
C:\Users\Admin\AppData\Local\Temp\RES6179.tmp
| MD5 | c2c33f43a54a996bf4692c80337aa5d0 |
| SHA1 | 81fcb4f13e8987127fa305129d3cc9e5c97b933f |
| SHA256 | b330105e82c08d6b908162cd63d7c08cac2dd9383bb3886c4882226d651cf7a2 |
| SHA512 | 66c5a6e9ffd554b16bcb225ab466448704e49c4b15cd381075d99e13eaa92ab11246d4512e21588360b62ba3ef5235e5091eb012158fff9624b5c55df05e12d3 |
memory/3428-25-0x000001DCECF20000-0x000001DCECF28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.dll
| MD5 | fc203db7f46358e7e8ae37725da61a76 |
| SHA1 | a86a440a54a7e360c337330783913703a2bdb404 |
| SHA256 | 17d7285e7943c62c2d1b5984f349ecbfbd40be3734e6e3619a1e4ce2f1e87211 |
| SHA512 | 42b8362f1d9105b366381a260f4ddd8a841807efd07629c625a1c0032b233fe2055599f1b79f243b2316d55c433fc1f791820846812ed862af222a5dbbbb0dfd |
memory/3428-27-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp
memory/3428-28-0x000001DCED060000-0x000001DCED061000-memory.dmp
memory/3428-29-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 09:38
Reported
2024-06-15 09:41
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
MetaSploit
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1076.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1075.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 936
Network
Files
memory/2088-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp
memory/2088-5-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2088-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2088-7-0x0000000002240000-0x0000000002248000-memory.dmp
memory/2088-6-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2088-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2088-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2088-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\2dvfr2wb.cmdline
| MD5 | 99aeb00722a63ff8ccd6e7dc16da8f36 |
| SHA1 | f67458cdaa7cefcbf2fffe788e849795a731b359 |
| SHA256 | 5165e8fe2708aaf2bdba6f74eb0e7fb71d7fc4be1e7cbdefd4a2e59244e9bac8 |
| SHA512 | bd3fd8d079aa477820d1a17e20693a24311c75e37852d3c2738d7103cc9402d16061949f3c71782b2c2e2444a4c0a489251ab325d7511ee73a1c902a862502cb |
\??\c:\Users\Admin\AppData\Local\Temp\2dvfr2wb.0.cs
| MD5 | 7ab331daccdacd5ff29c8e23b747b040 |
| SHA1 | 7140f35b363576f33e646222a01fcddb27cab866 |
| SHA256 | 4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190 |
| SHA512 | 3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395 |
memory/2932-17-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC1075.tmp
| MD5 | 3d1f44b7664653581e5f48860f88382e |
| SHA1 | 14844b721be8cc096ad3cd4412345ac6cd7f1bd1 |
| SHA256 | 6fc6876b07c9e1f9a580e028ce20903131da9ba93652b066eb19f1b6cbe2004a |
| SHA512 | f65b80738902a423d971e58fd3b9f21f84b32c1baeaf5dd0c88fd30657fb3397fcf657c6b08ce8ec56d7d148782e1688d4eaa11c9d1f0b6164ed045dfefa14cb |
C:\Users\Admin\AppData\Local\Temp\RES1076.tmp
| MD5 | eee76c37f76b147b58a1daa4412d3afb |
| SHA1 | dbbe9b95e8a055d346b567abd61d1617d1283cec |
| SHA256 | c1a90d4f117ea91377d4d33881f1552dbf348883517f3de736ee86aafcb86c15 |
| SHA512 | 73da6c7096995e226c1c2dee82ab7620d270589fc33c66e26d183181ecc98e3eac791799e7dec0ff6e745e80d317b052cb2eddbbbf1f2cf9ad576ae5e0e2c436 |
memory/2932-25-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.dll
| MD5 | dc64056ab7f1428a8d17885826a4d8b4 |
| SHA1 | 455e1dcece3daa3ca48b1b3e47ce2d911f955bd4 |
| SHA256 | d0fd50b3b567ce58faf2bb0f52692abe7ed5646bd175cbf42bad0d7a6f3d9172 |
| SHA512 | 1f5ec3b61e075254f3139ac76e452a95c88188a30156e644f113389cbf826db37a4562a802c64d565aad7050bec31eb72d9da356c9b53587fcd56c5915b61baf |
memory/2088-27-0x0000000002A80000-0x0000000002A88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.pdb
| MD5 | 4181f1ad3feab275e7e6b9328e3a8426 |
| SHA1 | 1cab34402ebd43cfc8339432d6e549444c4aeeeb |
| SHA256 | ff197054e3a86094efa5ae9619e89ea96725b10ec481c3190f578818134ecb3a |
| SHA512 | 5b2d67626a4f380b115747e73121f50c04520f3f8ad588071164f902dd7c111534bc85517b197fd65211173533e9ec83693111c66ab9c302db7fa61169e759da |
memory/2088-30-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
memory/2088-31-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2088-32-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp