evilnum | c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffee111b993de52e2034e31953dee86b_JaffaCakes118.lnk
Size

1.5MB
MD5

ffee111b993de52e2034e31953dee86b
SHA1

e88f7946cc7b987b0c49b28d770e722bd0fa3a04
SHA256

c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
SHA512

390d7a6d438ef634c7456a9f51948b22e250c61f2fac69493bb0cf1a06dfb189da191aca4e8ff4078b53f7092a1595309fb2b3eaa300e8989a2484b914151c47
SSDEEP

24576:7EyQe3EmVBbtCv51m8Pj7wLSDCFRKShXUYg5qsr3nD6908MzCHsAz08UKh0ua4nc:7Esrt21h7wSDCFZg5zmazCMAIChNaYjw

Score

10^/10

evilnum execution trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2724	1924	cmd.exe	31
PID 1924 wrote to memory of 2724	1924	cmd.exe	31
PID 1924 wrote to memory of 2724	1924	cmd.exe	31
PID 2724 wrote to memory of 2052	2724	cmd.exe	32
PID 2724 wrote to memory of 2052	2724	cmd.exe	32
PID 2724 wrote to memory of 2052	2724	cmd.exe	32
PID 2724 wrote to memory of 2812	2724	cmd.exe	33
PID 2724 wrote to memory of 2812	2724	cmd.exe	33
PID 2724 wrote to memory of 2812	2724	cmd.exe	33
PID 2724 wrote to memory of 2828	2724	cmd.exe	34
PID 2724 wrote to memory of 2828	2724	cmd.exe	34
PID 2724 wrote to memory of 2828	2724	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ffee111b993de52e2034e31953dee86b_JaffaCakes118.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "KYC Documenten.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:2052
- - C:\Windows\system32\find.exe
    find "END2"
    3⤵
    PID:2812
- - C:\Windows\system32\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads