f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245.vbs
Size

77KB
MD5

4e69333b05d347f5383146cb52f2069d
SHA1

b20c2dfec1d341e33caab1826ee49cedb2029db6
SHA256

f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245
SHA512

be303a7bcdf7ab9954e025dac326c518c3ac27e5449122fa0e8f729c6c46dc35e993481decbdbc7375f5067dc4ceee4848d576a431fe4056176d7867c9af0a8d
SSDEEP

1536:1Jgz0H2SkJmJere42kaI+NiQtRCDKZX9n3jLNYPu:Hgc7

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3012	1876	WScript.exe	28
PID 1876 wrote to memory of 3012	1876	WScript.exe	28
PID 1876 wrote to memory of 3012	1876	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4f5ec10baed6ad8a7f824f2a2506a8338db4b7e71815b2f6bf466645dac7245.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systray64.PS1

Filesize
51KB

MD5
38fb9ae219cc70744abe72a8d03de55f

SHA1
e200e3264f91ccc900a5f043d6df741c05bca298

SHA256
1d3555606bf01f6597609dc4eea06695b8fde77fe886052ed72b60907ca22146

SHA512
50a1b3c464e5e6dd1fa1b790de8e964b9f3394450ba6a55e2150a9d0d610e30c1ec49925a37aa57080ce57e2524dbcb1183ebd83531e6a2c0ff3ebf1593bf4b6

Download Submit
memory/3012-5-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

Filesize
4KB

Download
memory/3012-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3012-6-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/3012-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-12-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-13-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-14-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download