Overview

overview

10

Static

static

10

JaffaCakes...70.ps1

windows7-x64

10

JaffaCakes...70.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2025 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a0a38a2d92e516306c9b0ff455ec5a70.ps1

  • Size

    401KB

  • MD5

    a0a38a2d92e516306c9b0ff455ec5a70

  • SHA1

    e9852c1f451a27edc74f399148869dc436fad878

  • SHA256

    c6cced9b9ff8c73cf120a7422dda5cf760cfadffc40ad1cc0c957825843db10c

  • SHA512

    dc9763b4db14465851484956bcc965c745b7eb6895d53acae12ba1b2263e5c4638f724dcac485353dd1d9c95a9e55162917612211db52f22ea7f4da3a091400f

  • SSDEEP

    1536:5wG7MA34KtGjNnRm9aTpYlIgayfLyhmyORtjIPxplXCZInfLwbkSOW+69VoBwIsw:5k

Score
10/10
asyncrathackeddiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Hacked

C2

toornavigator.sytes.net:5500

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    notepad.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0a38a2d92e516306c9b0ff455ec5a70.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2644-15-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-10-0x00000000028F0000-0x0000000002910000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2644-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2644-7-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-42-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-9-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2644-11-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-8-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-22-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-20-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-18-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-16-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-12-0x00000000028F0000-0x0000000002908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2644-4-0x000007FEF62EE000-0x000007FEF62EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-44-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2684-34-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-41-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-38-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-33-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-29-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-27-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-25-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-23-0x0000000000090000-0x00000000000A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-43-0x00000000748BE000-0x00000000748BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-45-0x00000000748B0000-0x0000000074F9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2684-46-0x00000000748BE000-0x00000000748BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-47-0x00000000748B0000-0x0000000074F9E000-memory.dmp

    Filesize

    6.9MB

    Download