Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe
-
Size
488KB
-
MD5
19637d0528829ba60cc7516f1730d052
-
SHA1
037615f51dcf7fd1c8486de25d78ab61bbe34688
-
SHA256
e2bcf722a013154a7f52b5128cbf8198d72202db7be589b6296477b47619fb4a
-
SHA512
f6c7c0d7949c1f25edee14fd6e46288e3c548e7edeb0d28e381c4cb10d78b08d1ee2e8dae6fce267f4ff7e1396e30fb2499bf417b09f75b11203156aa3080cc0
-
SSDEEP
12288:FytbV3kSoXaLnTosltB/bkybh0o4Crwxe3:Eb5kSYaLTVlvPh0Ece3
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 348 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2888 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 348 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe 28 PID 2148 wrote to memory of 348 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe 28 PID 2148 wrote to memory of 348 2148 19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe 28 PID 348 wrote to memory of 2888 348 cmd.exe 30 PID 348 wrote to memory of 2888 348 cmd.exe 30 PID 348 wrote to memory of 2888 348 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\19637d0528829ba60cc7516f1730d052_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2888
-
-