evilnum | c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720

Analysis

max time kernel
95s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffee111b993de52e2034e31953dee86b_JaffaCakes118.lnk
Size

1.5MB
MD5

ffee111b993de52e2034e31953dee86b
SHA1

e88f7946cc7b987b0c49b28d770e722bd0fa3a04
SHA256

c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
SHA512

390d7a6d438ef634c7456a9f51948b22e250c61f2fac69493bb0cf1a06dfb189da191aca4e8ff4078b53f7092a1595309fb2b3eaa300e8989a2484b914151c47
SSDEEP

24576:7EyQe3EmVBbtCv51m8Pj7wLSDCFRKShXUYg5qsr3nD6908MzCHsAz08UKh0ua4nc:7Esrt21h7wSDCFZg5zmazCMAIChNaYjw

Score

10^/10

evilnum execution trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 1360	3280	cmd.exe	83
PID 3280 wrote to memory of 1360	3280	cmd.exe	83
PID 1360 wrote to memory of 2352	1360	cmd.exe	84
PID 1360 wrote to memory of 2352	1360	cmd.exe	84
PID 1360 wrote to memory of 3932	1360	cmd.exe	85
PID 1360 wrote to memory of 3932	1360	cmd.exe	85
PID 1360 wrote to memory of 5036	1360	cmd.exe	86
PID 1360 wrote to memory of 5036	1360	cmd.exe	86

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ffee111b993de52e2034e31953dee86b_JaffaCakes118.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "KYC Documenten.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:2352
- - C:\Windows\system32\find.exe
    find "END2"
    3⤵
    PID:3932
- - C:\Windows\system32\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads