Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe
Resource
win7-20240419-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe
Resource
win10v2004-20240508-en
2 signatures
150 seconds
General
-
Target
a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
a500f61bceafcb0683ee2a8ab17bf750
-
SHA1
aed93b9c27ab61dd15f7a03a399cd68e026f1cb9
-
SHA256
10ad1c02bae4b2e1f1ee63936a7e3183e4e6ebe09681763e5b509d9c718cdc72
-
SHA512
5081bd1f3d7c5ac0f7151021aa64169ba6ff2ba1ab3b3b2c73b85d6ed7ac0a97307741612712c847986034e776c7bc2b54aecef216e3e3c01f58bebed3c98934
-
SSDEEP
98304:/da+bLyVP4K84nB4OywFhEejk6+FlS2Si5HDknYSmZIVNpnE4MF5i5H5iO:U+bLUQK84BMwFPjkNlSa5DIFmZYNpE4P
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1452 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2080 PING.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1452 1732 a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe 33 PID 1732 wrote to memory of 1452 1732 a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe 33 PID 1732 wrote to memory of 1452 1732 a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe 33 PID 1732 wrote to memory of 1452 1732 a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe 33 PID 1452 wrote to memory of 2080 1452 cmd.exe 35 PID 1452 wrote to memory of 2080 1452 cmd.exe 35 PID 1452 wrote to memory of 2080 1452 cmd.exe 35 PID 1452 wrote to memory of 2080 1452 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a500f61bceafcb0683ee2a8ab17bf750_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2080
-
-