cecb1d6e99bff3468666bc3870bfc39041cb77c53b4bbba2e06981e70a5c3bdc

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe
Size

280KB
MD5

325329e2964ae0d348e86bbe485e4adb
SHA1

f5d0f4cff68de422440f0fff2bacedc6a9bb6bda
SHA256

cecb1d6e99bff3468666bc3870bfc39041cb77c53b4bbba2e06981e70a5c3bdc
SHA512

b4903ba63044fdedf41c16eae6e748dbeeb0d28f2ef4e1a18e3a676ab84be636bd1694195d88c49f5828ac391888bdffbc04df3b897e6404fb2a91a53fb15c18
SSDEEP

3072:EzeuGcbuAvropD+70WA3GpYJHoBKvyatOpXTsuZf2:EzeuG6uA4DjG2J+KvttCwuZO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3632	sdzlcw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1480	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 5040	3836	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	81
PID 3836 wrote to memory of 5040	3836	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	81
PID 3836 wrote to memory of 5040	3836	325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe	81
PID 5040 wrote to memory of 3632	5040	cmd.exe	84
PID 5040 wrote to memory of 3632	5040	cmd.exe	84
PID 5040 wrote to memory of 3632	5040	cmd.exe	84
PID 5040 wrote to memory of 1480	5040	cmd.exe	85
PID 5040 wrote to memory of 1480	5040	cmd.exe	85
PID 5040 wrote to memory of 1480	5040	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\325329e2964ae0d348e86bbe485e4adb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqnmpan.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\sdzlcw.exe
    "C:\Users\Admin\AppData\Local\Temp\sdzlcw.exe"
    3⤵
    - Executes dropped EXE
    PID:3632
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iorgqa.bat

Filesize
170B

MD5
525cd4a8f33115e9534799df48d6a2de

SHA1
2a7308382459492e7343f4ee666fac72e7c44f62

SHA256
168b7316a238830edcd29b1d00d60107cd77936c04a63603983eed1b8d1449b0

SHA512
73298b6c629b420e2e3006f35a26e293cc8b247b9bee357c6c6e701d243f75093817db488126dd03d172afe8d3d61cfb57826a74d2ffdf61d5357cd4e9c68976

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdzlcw.exe

Filesize
180KB

MD5
940b1920917e2feffb8ed2022db9392e

SHA1
32c88fd58985143b872c9387a3000df9602630da

SHA256
c739a17012b63d3d8f715a704d758967120fc618fbff141a2b15b7000b51ce55

SHA512
8fefc8150469a6c2cadb7d9a94b6f8fc6aae2506664b1aa75590acece43887359c3a2bf209c39e11454a8a46306933805df997fba26f17b6bce2f3245c26e189

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqnmpan.bat

Filesize
124B

MD5
1ae225f644c2310e6028ecbc02a03557

SHA1
df77c4cdc80240e048ee9225156a3317ffb39bfa

SHA256
37db594507d788d939e92eeb927946f5fea332106797b876dbf12b3c3d0aa27a

SHA512
9d682329267d0d791d51660bf54c050b705711a7f1486fd4dcfaac06b1dfe9b957c50d451879c579c2825a2b3cee4623ad7d8b6309b1a5c72cd447137fab8dab

Download Submit