8ba44a87ebee08786b61b8e08d96a9b0f4b0b9543560c9a406f1e7a59e3cd59d

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2362699874660e48a0fd78d7ac9c3e39_JaffaCakes118.vbs
Size

2KB
MD5

2362699874660e48a0fd78d7ac9c3e39
SHA1

820781211ce71a53740df8b6ebcdbdc0d79bc174
SHA256

8ba44a87ebee08786b61b8e08d96a9b0f4b0b9543560c9a406f1e7a59e3cd59d
SHA512

7f726b38647a1ebf372f56a9d6769bceb4da29fbb62a77fd1382917764aff71d9d9f22fb60fd23fe54c1ec976b45b3c543f75c3f56086e0cb6c39f2c332cfbb0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2156	1812	WScript.exe	28
PID 1812 wrote to memory of 2156	1812	WScript.exe	28
PID 1812 wrote to memory of 2156	1812	WScript.exe	28
PID 1812 wrote to memory of 2616	1812	WScript.exe	30
PID 1812 wrote to memory of 2616	1812	WScript.exe	30
PID 1812 wrote to memory of 2616	1812	WScript.exe	30
PID 2156 wrote to memory of 2188	2156	cmd.exe	32
PID 2156 wrote to memory of 2188	2156	cmd.exe	32
PID 2156 wrote to memory of 2188	2156	cmd.exe	32
PID 2156 wrote to memory of 2376	2156	cmd.exe	33
PID 2156 wrote to memory of 2376	2156	cmd.exe	33
PID 2156 wrote to memory of 2376	2156	cmd.exe	33
PID 2616 wrote to memory of 2572	2616	cmd.exe	34
PID 2616 wrote to memory of 2572	2616	cmd.exe	34
PID 2616 wrote to memory of 2572	2616	cmd.exe	34
PID 2616 wrote to memory of 2532	2616	cmd.exe	35
PID 2616 wrote to memory of 2532	2616	cmd.exe	35
PID 2616 wrote to memory of 2532	2616	cmd.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2362699874660e48a0fd78d7ac9c3e39_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y| cacls "C:\Users\Admin\Desktop\Internat Explorer.html" /P Everyone:R
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2188
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internat Explorer.html" /P Everyone:R
    3⤵
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y| cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internat Explorer.html" /P Everyone:R
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2572
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internat Explorer.html" /P Everyone:R
    3⤵
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internat Explorer.html

Filesize
147B

MD5
d7ed2d2236f93cb098ff4f538c8ad243

SHA1
8f33a5d75505e71d96431b652d609734de8389df

SHA256
c11bd8fefd0b9b79622067895d74f335d27b6b435f719e9897fba585ff520460

SHA512
03b47c2815f17c3f9b589b40bf9636737d0c31ac85066c2c6b92b19d224712dbe3ab43bbcf84e2b724aa54311313841988a9c804e071e79a408f4d6622c52f58

Download Submit