ac7792f2fee6036411238ea3085352a26b6a6eb44e5509a16c63bce0c1f71444

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe
Size

316KB
MD5

fbc681ec0f4c57691d1135a20e14ff56
SHA1

f75bb1d09314f23167b9d11847adb2575cb9b327
SHA256

ac7792f2fee6036411238ea3085352a26b6a6eb44e5509a16c63bce0c1f71444
SHA512

247ec80e4613c59abc15a4024e72d637c653ac576d13dd4050571b5521f36e804fbc7dcb568002f5ec7e809c0198647532a66cdb971752b687ada6dec57d0489
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEJ6qSsYGvX:FytbV3kSoXaLnTosly6qSsxv

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3496	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe
2384	fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4016	2384	fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe	84
PID 2384 wrote to memory of 4016	2384	fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe	84
PID 4016 wrote to memory of 3496	4016	cmd.exe	86
PID 4016 wrote to memory of 3496	4016	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fbc681ec0f4c57691d1135a20e14ff56_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads