f840f8bc3076f63c76db69f9f6c76623e3db4a2bd70809a78b9c45a90535bfdc

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
Size

488KB
MD5

eca3118dc775aab05ef1351257bfe4aa
SHA1

7ab478a5bb1aa6ebcb7202e025247cfa6dcf6cee
SHA256

f840f8bc3076f63c76db69f9f6c76623e3db4a2bd70809a78b9c45a90535bfdc
SHA512

32956c8d7a9f51a1f263a6f704e78150b37c58e30957f640cf6d0c0544687bd0ab0543ada3cfc4078e0506f2e8b238ea472875695f3e805ea0f3b6185df8a8ce
SSDEEP

12288:FytbV3kSoXaLnToslMHyacM7fxJS+p4u/qm8pWLC1F:Eb5kSYaLTVlMHyrT+Em8sCn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2168	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2864	2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2864	2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2864	2232	eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2168	2864	cmd.exe	30
PID 2864 wrote to memory of 2168	2864	cmd.exe	30
PID 2864 wrote to memory of 2168	2864	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...