Edit tour

Windows Analysis Report
cacaduk.captcha.ps1

Overview

General Information

Sample name:	cacaduk.captcha.ps1
Analysis ID:	1603242
MD5:	2ce909baa390d7c43462bdb42aebc0a2
SHA1:	9f09538159e42c6d932335a33d8b9d520983f03a
SHA256:	d109c3b246d193f8d28790f60bfd461dad0b05a61084b8243c721d66d7bbdf80
Tags:	ps1user-ttakvam
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

.NET source code contains potential unpacker

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 3060 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

powershell.exe (PID: 5236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 4672	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 4672	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xade2b:$b2: ::FromBase64String( 0x252270:$b2: ::FromBase64String( 0xadd60:$s1: -join 0x1008d5:$s1: -join 0x1057cf:$s1: -join 0x18996f:$s1: -join 0x1f28f9:$s1: -join 0x1ff9ce:$s1: -join 0x202da0:$s1: -join 0x203452:$s1: -join 0x204f43:$s1: -join 0x207149:$s1: -join 0x207970:$s1: -join 0x2081e0:$s1: -join 0x20891b:$s1: -join 0x20894d:$s1: -join 0x208995:$s1: -join 0x2089b4:$s1: -join 0x209204:$s1: -join 0x209380:$s1: -join 0x2093f8:$s1: -join

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", ProcessId: 4672, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", ProcessId: 4672, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.0% probability

Source: unknown	HTTPS traffic detected: 104.17.150.117:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.91.155.176:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: global traffic	HTTP traffic detected: GET /file_premium/9nj120vuey1opz8/nlhg.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.dat HTTP/1.1Host: download2435.mediafire.comCookie: ukey=gr35u6ruedi4zo8hggaiez99hwlcnrco; __cf_bm=pj0uFzDW3TmiCknk4Y.f2SEpT6S.LqoGiIlS4mBJkiM-1738258576-1.0.1.1-riKv5V.D02cEEd6Gq0eDEgwBzIpfaPv8T7GXwQHUqvztvVE5uhq.KoP8bFKMTWvQR.6iw0e0n7ad00axpHl1VgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.17.150.117 104.17.150.117

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file_premium/9nj120vuey1opz8/nlhg.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.dat HTTP/1.1Host: download2435.mediafire.comCookie: ukey=gr35u6ruedi4zo8hggaiez99hwlcnrco; __cf_bm=pj0uFzDW3TmiCknk4Y.f2SEpT6S.LqoGiIlS4mBJkiM-1738258576-1.0.1.1-riKv5V.D02cEEd6Gq0eDEgwBzIpfaPv8T7GXwQHUqvztvVE5uhq.KoP8bFKMTWvQR.6iw0e0n7ad00axpHl1VgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.mediafire.com
Source: global traffic	DNS traffic detected: DNS query: download2435.mediafire.com

Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download2435.mediafire.com
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mediafire.com
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file1HLfsLMqRXkC

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.17.150.117:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.91.155.176:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal68.evad.winPS1@23/5@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Nxqwwly
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl2tilnw.dou.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: cacaduk.captcha.ps1

Static file information: File size 1226553 > 1048576

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.powershell.exe.1ec0de70538.0.raw.unpack, Tfayc.cs

.Net Code: Xyzuqb System.AppDomain.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($BXJgbZVOGLekF));$iVLughHMB = $pabFAJblcCcgwbwViPHqz.GetBytes($EeRUCaaYUYmMCDll);$nMXISOyZwPncbGv = $(for ($VEdYERmlkFFUloexW = 0; $VEdYERmlkFFUloexW -lt $iVLughHMB.length; ) {for ($P

Yara detected Costura Assembly Loader

Source: Yara match	File source: 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5020

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532

Thread sleep time: -3689348814741908s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cacaduk.captcha.ps1	6%	Virustotal		Browse
cacaduk.captcha.ps1	5%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
download2435.mediafire.com	199.91.155.176	true	false		high
www.mediafire.com	104.17.150.117	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file	false		high
https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.dat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://download2435.mediafire.com	powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file1HLfsLMqRXkC	powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.mediafire.com	powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3	powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.17.150.117	www.mediafire.com	United States		13335	CLOUDFLARENETUS	false
199.91.155.176	download2435.mediafire.com	United States		46179	MEDIAFIREUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1603242
Start date and time:	2025-01-30 18:35:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cacaduk.captcha.ps1
Detection:	MAL
Classification:	mal68.evad.winPS1@23/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:36:02	API Interceptor	1x Sleep call for process: dllhost.exe modified
12:36:07	API Interceptor	102x Sleep call for process: powershell.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfhm0hzd.qo1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl2tilnw.dou.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.704236064752253
Encrypted:	false
SSDEEP:	48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB
MD5:	9D10FD492A757B194BDA4B31341B996A
SHA1:	E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1
SHA-256:	F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F
SHA-512:	8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B
Malicious:	false
Preview:	...................................FL..................F.".. ...d........un=s..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....G@.i=s.._\|.n=s......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl>Zx.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....>Z{...Roaming.@......DWSl>Z{.....C......................3..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl>Zx.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl>Zx.....E.....................a...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl>Zx.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl>Zx.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl>Z......q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LOM1S4V8K6ZDOKA2X2EK.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.704236064752253
Encrypted:	false
SSDEEP:	48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB
MD5:	9D10FD492A757B194BDA4B31341B996A
SHA1:	E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1
SHA-256:	F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F
SHA-512:	8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B
Malicious:	false
Preview:	...................................FL..................F.".. ...d........un=s..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....G@.i=s.._\|.n=s......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl>Zx.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....>Z{...Roaming.@......DWSl>Z{.....C......................3..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl>Zx.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl>Zx.....E.....................a...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl>Zx.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl>Zx.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl>Z......q...........

Static File Info

General

File type:	ASCII text, with very long lines (1169), with CRLF line terminators
Entropy (8bit):	5.955894474253898
TrID:
File name:	cacaduk.captcha.ps1
File size:	1'226'553 bytes
MD5:	2ce909baa390d7c43462bdb42aebc0a2
SHA1:	9f09538159e42c6d932335a33d8b9d520983f03a
SHA256:	d109c3b246d193f8d28790f60bfd461dad0b05a61084b8243c721d66d7bbdf80
SHA512:	14716ee50cda2d01bb0a3ccedc068100d83ddb5dbcc806a18389f5669b845f43663f7a3be3e9502dc57b9c303c4bc29d2392b9b558f853fdb59b62f006ab8fa0
SSDEEP:	6144:hrMriMri9riKrilrivri4riMriwrizriBriNripri0risriArikriMri9ri/riR:3R03MG9Rla4EQJx15R0WR
TLSH:	0345049DF68847F949596BDC8387B9CE135055BB0ABB520496E0D2AE3D0DE173A30E3C
File Content Preview:	$txoiHDeiAnkjE = 86..$gJStovzpoU = ((((12+3220))+(29+9+(10+8-8))-12-17+49-(199)))..$VckypWjMobDEOxpXpDc = $gJStovzpoU..$wnjciwaDStpCohFMuwRP = 643..$pIdXOIAXAMrjCHYKXMxAh = (((43449)3-41((47-32+29))*((27-18+25))-(44732)))..$GeWFMwHibZdWpUctlTva = $g

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Network Port Distribution

Total Packets: 46
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2025 18:36:15.548548937 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:15.548580885 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:15.548665047 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:15.559408903 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:15.559425116 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.134641886 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.134758949 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:16.139098883 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:16.139133930 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.139416933 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.150562048 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:16.191359043 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.430078983 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.430180073 CET	443	49704	104.17.150.117	192.168.2.5
Jan 30, 2025 18:36:16.430250883 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:16.441644907 CET	49704	443	192.168.2.5	104.17.150.117
Jan 30, 2025 18:36:16.452564955 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:16.452662945 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:16.452826977 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:16.453005075 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:16.453030109 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:16.982909918 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:16.983027935 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.000633001 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.000669956 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.000902891 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.009087086 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.055346966 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.140363932 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.172332048 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.172349930 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.172416925 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.172488928 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.172523975 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.172550917 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.230967045 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.230984926 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.231036901 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.231069088 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.231095076 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.231112957 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.312499046 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.312524080 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.312596083 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.312623978 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.312674999 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.318789005 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.318805933 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.318890095 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.318908930 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.318965912 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.320566893 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.320581913 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.320636034 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.320652008 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.320678949 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.320739985 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.322396994 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.322417974 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.322489977 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.322509050 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.322540045 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.322559118 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.401278973 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.401298046 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.401421070 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.401444912 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.401494026 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.407119036 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.407134056 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.407198906 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.407212019 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.407283068 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.407898903 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.407915115 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.407989025 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.408000946 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.408063889 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.409568071 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.409584045 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.409655094 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.409667969 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.409719944 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.410300016 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.410315037 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.410398960 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.410410881 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.410461903 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.438309908 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438324928 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438416004 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.438433886 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438484907 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.438842058 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438858032 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438922882 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.438934088 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.438987017 CET	49705	443	192.168.2.5	199.91.155.176
Jan 30, 2025 18:36:17.495527983 CET	443	49705	199.91.155.176	192.168.2.5
Jan 30, 2025 18:36:17.495549917 CET	443	49705	199.91.155.176	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2025 18:36:15.534867048 CET	65020	53	192.168.2.5	1.1.1.1
Jan 30, 2025 18:36:15.542197943 CET	53	65020	1.1.1.1	192.168.2.5
Jan 30, 2025 18:36:16.442704916 CET	54464	53	192.168.2.5	1.1.1.1
Jan 30, 2025 18:36:16.451973915 CET	53	54464	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 30, 2025 18:36:15.534867048 CET	192.168.2.5	1.1.1.1	0x3dbc	Standard query (0)	www.mediafire.com	A (IP address)	IN (0x0001)	false
Jan 30, 2025 18:36:16.442704916 CET	192.168.2.5	1.1.1.1	0x1e1a	Standard query (0)	download2435.mediafire.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 30, 2025 18:36:15.542197943 CET	1.1.1.1	192.168.2.5	0x3dbc	No error (0)	www.mediafire.com	104.17.150.117	A (IP address)	IN (0x0001)	false
Jan 30, 2025 18:36:15.542197943 CET	1.1.1.1	192.168.2.5	0x3dbc	No error (0)	www.mediafire.com	104.17.151.117	A (IP address)	IN (0x0001)	false
Jan 30, 2025 18:36:16.451973915 CET	1.1.1.1	192.168.2.5	0x1e1a	No error (0)	download2435.mediafire.com	199.91.155.176	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.mediafire.com

download2435.mediafire.com

Statistics

Click to jump to process

Target ID:	0
Start time:	12:36:01
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:36:01
Start date:	30/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:36:02
Start date:	30/01/2025
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: powershell.exePID: 5236, Parent PID: 1028

General

Target ID:	4
Start time:	12:36:26
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 3784, Parent PID: 1028

General

Target ID:	5
Start time:	12:36:26
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 728, Parent PID: 1028

General

Target ID:	6
Start time:	12:36:27
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 5912, Parent PID: 1028

General

Target ID:	7
Start time:	12:36:27
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 3060, Parent PID: 1028

General

Target ID:	8
Start time:	12:36:27
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 6300, Parent PID: 1028

General

Target ID:	9
Start time:	12:36:27
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 4676, Parent PID: 1028

General

Target ID:	10
Start time:	12:36:27
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 6572, Parent PID: 1028

General

Target ID:	11
Start time:	12:36:28
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 5240, Parent PID: 1028

General

Target ID:	12
Start time:	12:36:28
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 5308, Parent PID: 1028

General

Target ID:	13
Start time:	12:36:28
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

⊘No disassembly

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cacaduk.captcha.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfhm0hzd.qo1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl2tilnw.dou.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LOM1S4V8K6ZDOKA2X2EK.temp

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Statistics

Behavior

System Behavior

Analysis Process: powershell.exePID: 4672, Parent PID: 1028

General

File Activities

Windows Analysis Report
cacaduk.captcha.ps1