Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b9aeea371d97a735cb60fc3e41bac781fd37e9db279824784ea0399ec541c6fe.ps1
Resource
win7-20240903-en
4 signatures
150 seconds
General
-
Target
JaffaCakes118_b9aeea371d97a735cb60fc3e41bac781fd37e9db279824784ea0399ec541c6fe.ps1
-
Size
821KB
-
MD5
1272f95e9cd257e83a74c5e29186e9c0
-
SHA1
b4cf0895be4dbdd6aebac62e248220cce852ea35
-
SHA256
b9aeea371d97a735cb60fc3e41bac781fd37e9db279824784ea0399ec541c6fe
-
SHA512
53e6cfa4182530d1a7b32b915337205628d2fd3fdbc63764437d8344d1565b4a2320c58bb18d8f0e547b378d1f2be18b2839eabb8bda1c4b711c221f32fb0ef7
-
SSDEEP
12288:OVdITzaEX0TV1xv3qKypKM40jhXlaQFQ8E:KTVHUUj0jhXl98
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2112-18-0x0000000002B20000-0x0000000002B4E000-memory.dmp agile_net -
pid Process 2112 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9aeea371d97a735cb60fc3e41bac781fd37e9db279824784ea0399ec541c6fe.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112