4d007e30929cb71ae41fff8c20167267d59d0f8a4dfbe873ce317c2029ea5cf5

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe
Size

316KB
MD5

fb0e864d0e5a4ee2381f18f487b66740
SHA1

c5f8d51638bf03589289a499e7addb70c27e4190
SHA256

4d007e30929cb71ae41fff8c20167267d59d0f8a4dfbe873ce317c2029ea5cf5
SHA512

f4d15b0ad8c474c55f8259caf9b5a5126525a2bf34eb52494dc6887ba76b8551c219e24d06d695d6948818ba335e3ddb419f6df15a4bf1da5f4614e29ee2666b
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiE+LuUwTK:FytbV3kSoXaLnToslLiTK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2228	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe
1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2184	1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe	28
PID 1152 wrote to memory of 2184	1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe	28
PID 1152 wrote to memory of 2184	1152	fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2228	2184	cmd.exe	30
PID 2184 wrote to memory of 2228	2184	cmd.exe	30
PID 2184 wrote to memory of 2228	2184	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fb0e864d0e5a4ee2381f18f487b66740_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...