15095a694e0ddcc5cc8f238a0b8d0911bc3d2a4c03d9f2b77f44f14d381336d3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe
Size

397KB
MD5

200ed40c9643b857c22fc4e454485113
SHA1

3234b7c6172137b8f880073ff09398bf6a1b0435
SHA256

15095a694e0ddcc5cc8f238a0b8d0911bc3d2a4c03d9f2b77f44f14d381336d3
SHA512

5ad87e170d0c4ce120b4d7867f7f03256694fcb0f2cb1a1bba40c5745dd2506958bcc5b558a80132c33a00664dab444710499fc6930c08fdff80500eb63f822b
SSDEEP

12288:Oy9Zx4WEXtoXBlvw2LUeP9HHHiHHHHHHHHHHHHHHHBHHH8HHHHHHHHHHHHHHHSHR:TZx4WCtmBlvwS2Z

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2544	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2732	1732	200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2732	1732	200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2732	1732	200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2732	1732	200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2544	2732	cmd.exe	32
PID 2732 wrote to memory of 2544	2732	cmd.exe	32
PID 2732 wrote to memory of 2544	2732	cmd.exe	32
PID 2732 wrote to memory of 2544	2732	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\200ed40c9643b857c22fc4e454485113_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1732-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1732-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1732-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1732-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download