51aae2d1f9382300d099489d0c2b1fdc398aab808ea9a0e7c3409864d92f1cf4

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe
Size

644KB
MD5

f8969897cc4ad99d4920553f846c0c09
SHA1

2ba9e3117269e665220e055cda80a2359e5e017a
SHA256

51aae2d1f9382300d099489d0c2b1fdc398aab808ea9a0e7c3409864d92f1cf4
SHA512

45fede842abd2955eaa321e337f174ee1631a3c971f6b5ba5661d0b6c1a3bb479efd419503e31e2491afbded4366a533896b92b9be8b660de713f57c36a102ac
SSDEEP

12288:FytbV3kSoXaLnTosle2sToUIC/zZeWvecoO0HKNLOSEU8TnbFWqEG:Eb5kSYaLTVlWGC/zZNv2KTEdTbU9G

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe
2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3064	2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe	28
PID 2168 wrote to memory of 3064	2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe	28
PID 2168 wrote to memory of 3064	2168	f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe	28
PID 3064 wrote to memory of 2516	3064	cmd.exe	30
PID 3064 wrote to memory of 2516	3064	cmd.exe	30
PID 3064 wrote to memory of 2516	3064	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\f8969897cc4ad99d4920553f846c0c09_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads