Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
22-07-2024 13:41
General
-
Target
6363ddf8a20345c0201868b209afbd63_JaffaCakes118.lnk
-
Size
685KB
-
MD5
6363ddf8a20345c0201868b209afbd63
-
SHA1
941727ee9620624f595175468c27f863e3c2bc4a
-
SHA256
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
-
SHA512
f885eb46111da748b28b6a78d8e59e8e4f614e66e2e051e7a04d2d857c41513fdf68db77e2ee5319195389d6bd17e08fe5a2b159312e6deff5d157edfe8b2fe4
-
SSDEEP
12288:TQiqkgLGVRivcLwOtIO1nyhuEBUdw3VTVhUn5n/oGugyJ3Yql:TdqLGnZn1NEBUdwa5ngfg4j
Score
10/10
Malware Config
Signatures
-
Evilnum
A malware family with multiple components distributed through LNK files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\6363ddf8a20345c0201868b209afbd63_JaffaCakes118.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "compliance-docpack.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""3⤵
-
-
C:\Windows\system32\find.exefind "END2"3⤵
-
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\0.js"3⤵
-
-