f64aa9c2a910b4c38dc27177cef529ef373c8fcd4dc5fb4d998b3b0547fdf9eb

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe
Size

268KB
MD5

65afc103475ca89ec8e66a359fecf2a1
SHA1

aaa09e09360287a5d7a4433779d83bff4d11e67e
SHA256

f64aa9c2a910b4c38dc27177cef529ef373c8fcd4dc5fb4d998b3b0547fdf9eb
SHA512

5daf66892dabd45f883ade69a7d2b38b0f7f7810ea23d3b2729ecdfbe0e8fb80d8cf2bc5e46c8120746213212c6e0bea350d140b01a6ba931c1115af8393e7f9
SSDEEP

3072:VEKsMK+proOjbtWhNHma6jIc9Jds7PT5xYAhRJi6dYLyRzmFlLLh+vgLydPf6:aKs7+whNDJ+rs7bMAU6dyH+oL4Pi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1584	ykpity.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4900	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2184	3160	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	84
PID 3160 wrote to memory of 2184	3160	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	84
PID 3160 wrote to memory of 2184	3160	65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe	84
PID 2184 wrote to memory of 1584	2184	cmd.exe	86
PID 2184 wrote to memory of 1584	2184	cmd.exe	86
PID 2184 wrote to memory of 1584	2184	cmd.exe	86
PID 2184 wrote to memory of 4900	2184	cmd.exe	87
PID 2184 wrote to memory of 4900	2184	cmd.exe	87
PID 2184 wrote to memory of 4900	2184	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65afc103475ca89ec8e66a359fecf2a1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gyhbjxe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\ykpity.exe
    "C:\Users\Admin\AppData\Local\Temp\ykpity.exe"
    3⤵
    - Executes dropped EXE
    PID:1584
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exlxoz.bat

Filesize
170B

MD5
a9f3d98706bfd7b084cd83ebeee648a7

SHA1
8101d6e46f61f3fa2ac379342fa2825d4647913a

SHA256
5c58d70d2d3dfd28dea09a86987f63de6c90b4c98c0527716d87ca83b54348ab

SHA512
fdb8dbb419e8bad391a26df9cab8f75e6d4d094cf87e967bc4f5e403caeb51942ff52f59b8d4e5e4e29c4dd8125f335180dcaa97183e77e7d79570e719f74e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyhbjxe.bat

Filesize
124B

MD5
ce09cca77131be58993875a1a481ef42

SHA1
b5b638a5e1c8e4f6642564d339e5008a57789f6f

SHA256
9ec573119062106bedb02afabd4819d5ed2a4044cecf21b1fa8ec74de3ebe39a

SHA512
0a0739acc382af38dd24b2e9297bc52aed7bdff52462beeb58c5ad71a950ae1b94a384fc11c85ad49d749efbbfff509846ffd6d8be8064b05972a1e26f032713

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykpity.exe

Filesize
176KB

MD5
f0a61438d0407d44fc4a7013a43bfb98

SHA1
62292b28a63bc64dba4af0df298414981040d276

SHA256
eeb7a4eb87e6f1db95ac4ce8cc4e1855178031c1d9ebb734276498375630570e

SHA512
cec7d8efccb2242c959afb3101ca579b319a331f972824b3c1b7e324daa0fe77f2b715c79451ab68f0d33eee1404ed236152a48e2b54a1ca30fe7859236a6b87

Download Submit