ed56db3bff8fc61fb92ab10d42e227b0f16d95729feb43f17a660454de4851ab

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 10:07

Target

d41cee70cac085a607fd2cb9ee801fcc_JaffaCakes118.vbs
Size

749B
MD5

d41cee70cac085a607fd2cb9ee801fcc
SHA1

de7f92a36942473bd9b861188a8cbe9a62906bbb
SHA256

ed56db3bff8fc61fb92ab10d42e227b0f16d95729feb43f17a660454de4851ab
SHA512

064ed90bf902d61fad5dc4f423a32c785395a3d8dd985df3e8d866d293fe5e93e44b38b01f90ba5c6104180ca44e2eeb3e4de6eeba8c1a40e4ea412d39d3d778

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2480	1232	WScript.exe	30
PID 1232 wrote to memory of 2480	1232	WScript.exe	30
PID 1232 wrote to memory of 2480	1232	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d41cee70cac085a607fd2cb9ee801fcc_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2480

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact