f64aa9c2a910b4c38dc27177cef529ef373c8fcd4dc5fb4d998b3b0547fdf9eb

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe
Size

268KB
MD5

65afc103475ca89ec8e66a359fecf2a1
SHA1

aaa09e09360287a5d7a4433779d83bff4d11e67e
SHA256

f64aa9c2a910b4c38dc27177cef529ef373c8fcd4dc5fb4d998b3b0547fdf9eb
SHA512

5daf66892dabd45f883ade69a7d2b38b0f7f7810ea23d3b2729ecdfbe0e8fb80d8cf2bc5e46c8120746213212c6e0bea350d140b01a6ba931c1115af8393e7f9
SSDEEP

3072:VEKsMK+proOjbtWhNHma6jIc9Jds7PT5xYAhRJi6dYLyRzmFlLLh+vgLydPf6:aKs7+whNDJ+rs7bMAU6dyH+oL4Pi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	vhuigr.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2272	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2400	1656	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2400	1656	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2400	1656	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2400	1656	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2388	2400	cmd.exe	33
PID 2400 wrote to memory of 2388	2400	cmd.exe	33
PID 2400 wrote to memory of 2388	2400	cmd.exe	33
PID 2400 wrote to memory of 2388	2400	cmd.exe	33
PID 2400 wrote to memory of 2272	2400	cmd.exe	34
PID 2400 wrote to memory of 2272	2400	cmd.exe	34
PID 2400 wrote to memory of 2272	2400	cmd.exe	34
PID 2400 wrote to memory of 2272	2400	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\cdotfgh.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\vhuigr.exe
    "C:\Users\Admin\AppData\Local\Temp\vhuigr.exe"
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdotfgh.bat

Filesize
124B

MD5
2d7741b32f0dea266c7a5cac4f1eff42

SHA1
c937b2f98219d87f70047fbf74beddcfd74b0bd4

SHA256
ee502abd9f5d1992eeb8b561a949b91aae8239cd9e01951321e2417709d9d7da

SHA512
ea05dac813512a85ddf04e96e4d7fdf4a21ad3e4e98f2d15eee42762f65639e248220d2483dc63bfbaa84e1ac0e2ee11eeae99bc9cd710ea45dc158c7b0cf860

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqhepl.bat

Filesize
170B

MD5
6ffb52b6f85528e68e84d9e5f2ed8a32

SHA1
9e64fbc2b8bbc0543c58eee1a69ec570a59948e0

SHA256
50a7cab8a8d09bb3e091e9ac78abcbe8c78b083a06692a2dbee14d9f99980bd8

SHA512
948859096580bcc80dec39095953714d42bb4e2f68a9632a732906b4cbec5f10a05f020a80ee72e504ec9f19403e3f0bade97fa6f0887b7650d3d178af17c96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhuigr.exe

Filesize
176KB

MD5
1189690fbf104787770ba90162111c6b

SHA1
f54c9295a0b8f0b845ecfce25cdbb04e13f5f63a

SHA256
32352b11d3dec0de5489682e9bba9caddcc82e21f77a22e2f61ba94ce4065801

SHA512
1ee1367cffb5bf2d13f8d19f7100c2677912e648fd5661e59946effc8ab1dad826a69d72c2f882ffb2f3ecdd3d0ae8b2360fa21e9009fa96adda092e82ae6309

Download Submit