8c15547bfca61fdb10749f239d8f4c9956054983bbf85ef83ff9750227441ba5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe
Size

23KB
MD5

429f15cc348a4fde9efe7674918ad905
SHA1

a055bb652059fb58b8193033c4ad228ddd628a5d
SHA256

8c15547bfca61fdb10749f239d8f4c9956054983bbf85ef83ff9750227441ba5
SHA512

e8be894e23031196607af725f338dac195e44c3c4ed38afe768c69b35c124b2d8f04a0cd784752e2ab375fdb8ab7e794f026b88f8703ce056a7940f5bc068998
SSDEEP

384:uZiZ7ntrXGOuy6bkNIgeAo1Go0NQECpPQVFvA4FfqCQOsAWI4zuXJ6m1XVlt1:AYrXxi3x1Go+z0QzrJRQRAWIquXI4H

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4164	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3004	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 844	3004	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	90
PID 3004 wrote to memory of 844	3004	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	90
PID 3004 wrote to memory of 844	3004	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	90
PID 844 wrote to memory of 4164	844	cmd.exe	92
PID 844 wrote to memory of 4164	844	cmd.exe	92
PID 844 wrote to memory of 4164	844	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del "C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe">>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
124B

MD5
e5a7ffe249a66b1af2d80fdc25856377

SHA1
ea23e2d7c3d84394ec35e5b34a425925dbe732fb

SHA256
06c562b3e423398118c55dfeb7d23ed0b31d5d97ec04592830b7a1161752f972

SHA512
8cbd95fa5d00f27d38af333664aaa3d9ac26438b0a52178a9994eaa7e1ce7a71781339cc55c9a0ce3ffd20e4e4a29a338f4b902aa76e4166540ef7e2188086c7

Download Submit
memory/3004-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-2-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3004-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download