62ee0235633e9d854019dc36203d1043889463c8527540af196481a2029a0251

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe
Size

316KB
MD5

ec40bb7a407184b725023a0241c9de1d
SHA1

ae4068a723df060dad0b68709df9ad6bf611953c
SHA256

62ee0235633e9d854019dc36203d1043889463c8527540af196481a2029a0251
SHA512

55ef60d505ab656675ba1e7b659dd0aca90732f81852ea02bc1da3d3ae92760595b833a2858228e3da7daf12776503f69b3e7fa9d30e001d1f4dfefed0f4556d
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEns3SH:FytbV3kSoXaLnToslms3Q

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2196	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe
2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2052	2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2052	2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2052	2200	ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2196	2052	cmd.exe	30
PID 2052 wrote to memory of 2196	2052	cmd.exe	30
PID 2052 wrote to memory of 2196	2052	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ec40bb7a407184b725023a0241c9de1d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads