b2ad799f939e04e3ed45a79ee1560ec5f0b7d29ba3b1fc4cb3854b756c1c0e8b

Analysis

max time kernel
121s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe
Size

24KB
MD5

422faaf76fbbd5c696e24718328bd066
SHA1

e1b85574f4613154c58e5d68aa6aeb51fc79a261
SHA256

b2ad799f939e04e3ed45a79ee1560ec5f0b7d29ba3b1fc4cb3854b756c1c0e8b
SHA512

9745b3a601991af773b8db5b8e16afe311a5d088bdc9b3fe93b39c2551286244983e1a6369892b0e65b49b302281b28769eb72bf81ed587ccd65858af722a71e
SSDEEP

768:41NAUsbxtT6sFst/3IrdlLUwn9nbcuyD7U+rO:41NAUwtT6sFstwrbUQnouy8QO

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2344-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2344-20-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
700	PING.EXE
2852	PING.EXE
3044	PING.EXE
2164	PING.EXE
2472	PING.EXE
1636	PING.EXE
2152	PING.EXE
2904	PING.EXE
1056	PING.EXE
2336	PING.EXE
1520	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	shutdown.exe
Token: SeRemoteShutdownPrivilege	2568	shutdown.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2844	2344	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2844	2344	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2844	2344	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2844	2344	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2904	2844	cmd.exe	32
PID 2844 wrote to memory of 2904	2844	cmd.exe	32
PID 2844 wrote to memory of 2904	2844	cmd.exe	32
PID 2844 wrote to memory of 2904	2844	cmd.exe	32
PID 2844 wrote to memory of 2852	2844	cmd.exe	33
PID 2844 wrote to memory of 2852	2844	cmd.exe	33
PID 2844 wrote to memory of 2852	2844	cmd.exe	33
PID 2844 wrote to memory of 2852	2844	cmd.exe	33
PID 2844 wrote to memory of 1056	2844	cmd.exe	34
PID 2844 wrote to memory of 1056	2844	cmd.exe	34
PID 2844 wrote to memory of 1056	2844	cmd.exe	34
PID 2844 wrote to memory of 1056	2844	cmd.exe	34
PID 2844 wrote to memory of 3044	2844	cmd.exe	35
PID 2844 wrote to memory of 3044	2844	cmd.exe	35
PID 2844 wrote to memory of 3044	2844	cmd.exe	35
PID 2844 wrote to memory of 3044	2844	cmd.exe	35
PID 2844 wrote to memory of 2784	2844	cmd.exe	36
PID 2844 wrote to memory of 2784	2844	cmd.exe	36
PID 2844 wrote to memory of 2784	2844	cmd.exe	36
PID 2844 wrote to memory of 2784	2844	cmd.exe	36
PID 2844 wrote to memory of 2164	2844	cmd.exe	37
PID 2844 wrote to memory of 2164	2844	cmd.exe	37
PID 2844 wrote to memory of 2164	2844	cmd.exe	37
PID 2844 wrote to memory of 2164	2844	cmd.exe	37
PID 2844 wrote to memory of 2336	2844	cmd.exe	38
PID 2844 wrote to memory of 2336	2844	cmd.exe	38
PID 2844 wrote to memory of 2336	2844	cmd.exe	38
PID 2844 wrote to memory of 2336	2844	cmd.exe	38
PID 2844 wrote to memory of 2472	2844	cmd.exe	39
PID 2844 wrote to memory of 2472	2844	cmd.exe	39
PID 2844 wrote to memory of 2472	2844	cmd.exe	39
PID 2844 wrote to memory of 2472	2844	cmd.exe	39
PID 2844 wrote to memory of 1520	2844	cmd.exe	40
PID 2844 wrote to memory of 1520	2844	cmd.exe	40
PID 2844 wrote to memory of 1520	2844	cmd.exe	40
PID 2844 wrote to memory of 1520	2844	cmd.exe	40
PID 2844 wrote to memory of 1636	2844	cmd.exe	41
PID 2844 wrote to memory of 1636	2844	cmd.exe	41
PID 2844 wrote to memory of 1636	2844	cmd.exe	41
PID 2844 wrote to memory of 1636	2844	cmd.exe	41
PID 2844 wrote to memory of 700	2844	cmd.exe	42
PID 2844 wrote to memory of 700	2844	cmd.exe	42
PID 2844 wrote to memory of 700	2844	cmd.exe	42
PID 2844 wrote to memory of 700	2844	cmd.exe	42
PID 2844 wrote to memory of 2152	2844	cmd.exe	43
PID 2844 wrote to memory of 2152	2844	cmd.exe	43
PID 2844 wrote to memory of 2152	2844	cmd.exe	43
PID 2844 wrote to memory of 2152	2844	cmd.exe	43
PID 2844 wrote to memory of 2568	2844	cmd.exe	44
PID 2844 wrote to memory of 2568	2844	cmd.exe	44
PID 2844 wrote to memory of 2568	2844	cmd.exe	44
PID 2844 wrote to memory of 2568	2844	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8D80.tmp\PC Guard Antivirus 2010.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2904
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2852
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1056
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:3044
- - C:\Windows\SysWOW64\tree.com
    tree
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:2164
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:2336
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2472
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:1520
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:1636
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:700
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 6
    3⤵
    - Runs ping.exe
    PID:2152
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 30 -c "Riavvio del PC per la completa rimozione, grazie per aver usato il nostro prodotto!"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D80.tmp\PC Guard Antivirus 2010.bat

Filesize
882B

MD5
f75f1ccf45f1f9073a16cd332a195186

SHA1
af990311e363864111b5f2a334c01fb36b368453

SHA256
086875dc456de3c3ea211c2365d659ed50354951a3cc705fdf11a954563842b8

SHA512
6289abf8a0ea0202ff2ad33c48a6632c0782d7d5d08ade72274c9acfe08ba7cd70d3984cce7e49a88ffe86240f1f0fc4e54c67cd24a43366842bdc2901cd8832

Download Submit
memory/2344-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download