hancitor | 4064ac41dbf2e965456b48d605e61387fbe7ba624b6dec7d8755d8040c17f171

Analysis

max time kernel
140s
max time network
133s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 07:01

Target

1e65bf939edfa4648370fdf1b9615e6c_JaffaCakes118.exe
Size

108KB
MD5

1e65bf939edfa4648370fdf1b9615e6c
SHA1

0d00226040f05506ade9fed89c1542a25b93e181
SHA256

4064ac41dbf2e965456b48d605e61387fbe7ba624b6dec7d8755d8040c17f171
SHA512

de26e04c2f881115a246cc6c0ae137c43e58c15fe417d85491684cdb8da8f47863942b7cd0f5da5f67ae72b9d7851b1637e20089ca1ce1525a7409405824e47e
SSDEEP

3072:UCFs0nvoeH7Y8sLAWoHcYvDwo1F5rFckAX8x:rnv12XuTFMkAsx

Score

10^/10

Family

hancitor

Botnet

0804_549362

http://reprathechim.com/4/forum.php

http://nothatribab.ru/4/forum.php

http://vetibutrew.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	1e65bf939edfa4648370fdf1b9615e6c_JaffaCakes118.exe
2912	1e65bf939edfa4648370fdf1b9615e6c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1e65bf939edfa4648370fdf1b9615e6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e65bf939edfa4648370fdf1b9615e6c_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

memory/2912-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2912-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download