Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
25-08-2024 19:45
General
-
Target
c171bcd34151cbcd48edbce13796e0ed_JaffaCakes118.ps1
-
Size
1.6MB
-
MD5
c171bcd34151cbcd48edbce13796e0ed
-
SHA1
2770fec86275dfb1a4a05e2d56bc27a089197666
-
SHA256
63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
-
SHA512
d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da
-
SSDEEP
12288:mCPioPTJd1WR3keV2Y/eHKaetuMUDfyTEHG+oIr7zOHSh3qruJJvbW:mxYTJw3keV2Y/xSMWPpoI7vh3qV
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\YOUR_FILES_ARE_ENCRYPTED.HTML
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Drops startup file 1 IoCs
-
Drops desktop.ini file(s) 35 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c171bcd34151cbcd48edbce13796e0ed_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9twidpjl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF02A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF029.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\c171bcd34151cbcd48edbce13796e0ed_JaffaCakes118.ps1"2⤵
- Blocklisted process makes network request
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r9mvnrci.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF603.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF602.tmp"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD50194a99090f18b0bdd758a3176f53d46
SHA1482a6399a8fd3e2402fed108a351f308be68847b
SHA25643997f9e6d4f10288ee0272bae74eb43ef71742b860bb1c1618d7fd09d0b26a3
SHA512754e49ac30976d88876edbbb433979d8c291503ba9bacd1ff0cde889a9526eda316e9d3820b4e163f55b63e4965bd0070f9b84c5a3fa07c2320667d40153ab60
-
Filesize
3KB
MD5fc3c5a6c3f83b52e3f8378acff24f0b6
SHA1b510f0f1929ab8c8010f4c0393081515729b7912
SHA2560812f8dc81d142d5e114ab4de98e43a05e3a3cb15d77a4bfc3416d01bd40e978
SHA5120d32883b07a1217cb3fa5c92bb8270bea4c9516fabd02c7bc6788e15830eb9d8e23febad0891657e28872694ef55f75c8a3521a3be4e2bf528033d4c46d39611
-
Filesize
7KB
MD523336d894bb3d56a1bed5a8a472b438e
SHA1097f13f0401b9de1bea7305f3e4d2b4db36eaefa
SHA256f40acc652f11af1916c7112076c06cbdebc022920f857fece508efe02acb59dc
SHA51210480e4a8f351a77d2e7f80ffdeebdc83570d75e8311f4f33cf29d53ca49973fd11fdbd52a4c2709582214896b43674cb0f982c71cf8b0aad4e1a5d8f44c562c
-
Filesize
1KB
MD5a8e9ff88281daab74509deba3abf3525
SHA123951689e0a64979cb01aebc4e95e6c7567c5cf8
SHA2562e1d32b76f9667490a3cc52da4c2b1bbe2fe4ca7c44f453e86fecfe255760d3f
SHA512c7d105f630273413c727312bbba266ca18a617c0f1a3ac60210549fea27c7126d501a3db78120c6b91d1350bda87af5c9d93db78b854f271a6038c10bcdb7be2
-
Filesize
1KB
MD5c8f2bf02b4520d8ba83907eb1a5bc0da
SHA1620070f9ae931f80c53c2069255d112f2d8dae53
SHA2561375f2225074e8f805bb49538d3ba3cd3414cc4a201cddd20ca80fa6d7757594
SHA51247d04e9a0f23e28d90723455845f0942a141efaf1af5b7746c4254afb9a46b55dc97250ba321cbf30dd389c07137e41d6cbafde1ad984f5ac0e7dbed4e7698d4
-
Filesize
3KB
MD576a0066ba8b3db90e3622ca883f7cac8
SHA18be25a5c314333be2f341160f8a18ced1afd2c11
SHA2562888a15ea4d368be21d1283ac6f7d0909d9c1cdc78dcf627798e5a3828049071
SHA512b3e8cf9fedc952124cc30a672bd0081fdf78e4f8f9181090fbe6bd2c1f9f8d28c891aaa6d48855781563f18fe50b22eb47485c7158a5607a797876e577a8bd66
-
Filesize
7KB
MD561110c09fa5a42c648d5b094fcf8ac11
SHA1829898621cb0ff1564119ea9debd7c1afd1e2841
SHA256a01bceb607cc388c54d6bba3b6461d615fd113b3a15ebe8bbfdabfc3c20e1a6e
SHA512e57eb3ad14532530f88892519c0f5f18f2432dcb927666fd5639a053b1d34cae4e953e854474eee93a1929626f56b7b96754b48593ce02261eebb13df7debd39
-
Filesize
7KB
MD5f2e6f740f9140bdd6aa3eba14b4f9468
SHA1764fc09d735b6b526bae0f933bb50084fddb2d5f
SHA256a379342e5957438b10523583a833461bff6a96c7bbbfc3cac3d4e2b0efcd0e99
SHA51234a7eff0432e537f92b1ccdecfb878236a3d477935ff44839728373ea8e853962f5bdd0daefcdc7166882e27383125e9b8a3e0caf6aa40a243230fa7716c214c
-
Filesize
468B
MD5caf98c9f9cc2c02cdc79eb3409a36bc5
SHA1aae6131763eaace982ee93fb15ee0eff45a034d2
SHA256dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499
SHA51274845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f
-
Filesize
309B
MD59f5b42e6bf7e2a7a5e9dbf51003aac5a
SHA1cdf894d6db0b10555cbe2726307dcd494fe20f92
SHA25681dff002c067625c8aa80936a3684658b1e4e499a304a452868e700ea92f0fd7
SHA5125558635dc466864306aadad02ed23a489ea3a54a8e3253b704f283b0ead1bd150fc427862fec63ca0642d2d4415718a930d054f18917182717291be9fbd52058
-
Filesize
652B
MD5f0cb4170aa230fcc6787f104b3489f44
SHA12e5023621562a7d0dab27016e02e4bc0a29298b0
SHA2568df4b46a01402521473b9d5010e3c934ca15f961c62d3e1d8a5c878dfc49245c
SHA51279b45c2c050b0013bf097ec3b1323e795c26d175c45f61d46029892cff17045d7696574ba4f397cdc9d45b6a5d5f7c7168c5a27718c3f23720afbbc9f52c5be2
-
Filesize
652B
MD5fa439550e147698fbaf4d5578ab37b90
SHA1487bddf1b4c3139a3d533547e02831bab6b242ff
SHA2563d74887f65630adc0b537bd80b6ca4d3699a64fb5b7f77b6619417c82f2b8d63
SHA5129ae919c11fec5a116a71553d3dc7c026cfc4bfa7951c4db6c29f9e31b887625f22469ba954bd70bbe3e0356373bd1a35f359d896a44d3d324cc7fdc1f0a2e90d
-
Filesize
309B
MD582744ec330e6986a3879e36a85b9f8ba
SHA176b731cf38acff926af22f1662c6d0b3c3ed45cf
SHA25659e6008b1805b10531fae28c51d6d7c9e4ff0746666220a13c7b038571790d06
SHA5123da3eb869968ab34bc15a0c20d535cc2b59750ca2bd3e77c53146e6db19e41368871c7aa45ea58774b1b506b399ae73e3172fe1ce7925153c23b8a38cbc051cb
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB