8b2fd20a062bc2d5f0ab7f7c77432b442444481f61fca33244cf5966cca00c27

Analysis

max time kernel
95s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe
Size

76KB
MD5

fa28ba1ed4e209dd6f695ca9af9d96ad
SHA1

e06604f6804c07437e5c6e8c3581198a3543791b
SHA256

8b2fd20a062bc2d5f0ab7f7c77432b442444481f61fca33244cf5966cca00c27
SHA512

cbb9f9e8fe7905b04cb2b665657dcb5ae8a997c400c3c4c49bed0b3c5cf379fdd2630296675efc7503d0a17ff534864a686bb73f37ae30467e435d7f4adbf1cf
SSDEEP

1536:iBmkZ3pqSmiqwFHv0grdmp5zV9WgZx2VNyNo1PF5GMepsme9wAnCokwR:Ordmp5zV9GGuXKwwAnBBR

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4596	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 224	2792	fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe	87
PID 2792 wrote to memory of 224	2792	fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe	87
PID 2792 wrote to memory of 224	2792	fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe	87
PID 224 wrote to memory of 4596	224	cmd.exe	89
PID 224 wrote to memory of 4596	224	cmd.exe	89
PID 224 wrote to memory of 4596	224	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del "C:\Users\Admin\AppData\Local\Temp\fa28ba1ed4e209dd6f695ca9af9d96ad_JaffaCakes118.exe">>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
124B

MD5
2f60d33f36992d1e8ff4798d7ae8d5a7

SHA1
1de558740f5e1ea4ac4c7b63e06e83490a55414d

SHA256
bd97596c7078ef488fa6beb865946bcd9aadc4a27f8c655291e3af430dd5af2f

SHA512
101d4a54d80427ffe5701237e24845af13da1bf0adccd74f89dcb4a2caa75ef91f8cc47a76dee15bf12d2f1b9d4a484765b42bcb3269ef94e5be360111d2e9e8

Download Submit