cecb1d6e99bff3468666bc3870bfc39041cb77c53b4bbba2e06981e70a5c3bdc

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe
Size

280KB
MD5

325329e2964ae0d348e86bbe485e4adb
SHA1

f5d0f4cff68de422440f0fff2bacedc6a9bb6bda
SHA256

cecb1d6e99bff3468666bc3870bfc39041cb77c53b4bbba2e06981e70a5c3bdc
SHA512

b4903ba63044fdedf41c16eae6e748dbeeb0d28f2ef4e1a18e3a676ab84be636bd1694195d88c49f5828ac391888bdffbc04df3b897e6404fb2a91a53fb15c18
SSDEEP

3072:EzeuGcbuAvropD+70WA3GpYJHoBKvyatOpXTsuZf2:EzeuG6uA4DjG2J+KvttCwuZO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	axfydm.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	cmd.exe
2608	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2628	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2608	2884	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2608	2884	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2608	2884	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2608	2884	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	30
PID 2608 wrote to memory of 2016	2608	cmd.exe	32
PID 2608 wrote to memory of 2016	2608	cmd.exe	32
PID 2608 wrote to memory of 2016	2608	cmd.exe	32
PID 2608 wrote to memory of 2016	2608	cmd.exe	32
PID 2608 wrote to memory of 2628	2608	cmd.exe	33
PID 2608 wrote to memory of 2628	2608	cmd.exe	33
PID 2608 wrote to memory of 2628	2608	cmd.exe	33
PID 2608 wrote to memory of 2628	2608	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\uzknwav.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\axfydm.exe
    "C:\Users\Admin\AppData\Local\Temp\axfydm.exe"
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghmkak.bat

Filesize
170B

MD5
1ea2da7f9e949c0bda5470e4f0143b83

SHA1
b11922c89976c60611d2f444a7fded11fbd591b8

SHA256
c4762d6c2d892c4565c9c6bd24f323348d887cd3415b753277b2feea750511d9

SHA512
a871ac63cfc5f4d821024464a9409705f57326c2e0934dd007d0b3c040d77bc7a0e49e1471fd09e7b3f26869de3b3ea1502e0e9032add6953bed1d633c1b03d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzknwav.bat

Filesize
124B

MD5
c0391a24f6fa2dc1c4ecb07051c9fac2

SHA1
70767f3ff4c95f753db0160177f37415a0e7aa7d

SHA256
d9f09df7b0250e5aac429cef4d6af881dbf4c5b4fc27f094b64b0725c34b4747

SHA512
c6c6468bacf91eab4903357521b67b06afa792f309b9423adccd5266d67bbde7637721ee02613915b60ac7d3586d3ecc97f1d78b9d56c7667ce644906d697b6c

Download Submit
\Users\Admin\AppData\Local\Temp\axfydm.exe

Filesize
180KB

MD5
024740fd6adedc01304b829c5c1d9c59

SHA1
04e51e256d4e35645898db37719e5ca29f19dc57

SHA256
85eacdd3421528413bcfc6bf03641e0db170f87837b6aa9c3584d99f3c208419

SHA512
d45d1b5213089f6707dc5c9df45d92b5809a73bda6c03071be1338734a6419dfad25a989850ff27d36b0907a94f4596c1e9f5a5ca44b4f555a7558a0b31bb5ec

Download Submit