150a0ace910db0b56c051a0d35e2e2003b49d0fe00a2cb0aba85697449e434fa

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 16:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe
Size

397KB
MD5

10fc3a5acee571584a0bd416994c7641
SHA1

aa57ee9e21c25e76eb2f3257e6351ad733a2d8ca
SHA256

150a0ace910db0b56c051a0d35e2e2003b49d0fe00a2cb0aba85697449e434fa
SHA512

1df2018219fbbda5caf0b9e8a54887387616e62b6366fcee99543ecae4a934f0a49b5091d9aa1ed0287ddaff6243a364197d12c7a8fbf83ae9101b79a90a3f7e
SSDEEP

6144:nTjR5PrKF1qNFed5Sp8uq6zout2+/gG0QRXDxHG7fndRxnCxOs:nvRhCSp8uJouw+E8XDxm7fBCEs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2660	1992	10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2660	1992	10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2660	1992	10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2660	1992	10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2560	2660	cmd.exe	32
PID 2660 wrote to memory of 2560	2660	cmd.exe	32
PID 2660 wrote to memory of 2560	2660	cmd.exe	32
PID 2660 wrote to memory of 2560	2660	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\10fc3a5acee571584a0bd416994c7641_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1992-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1992-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1992-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1992-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download