13ba44a55cb6035a65cc1678431f5e9d5c4a4bfb4687880cd93e05cfb9ecd3ce

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe
Size

320KB
MD5

66c7e89e75643fa41cc599afc4900049
SHA1

98a736710067dc27c714a2b20b78a67cbee8b2cf
SHA256

13ba44a55cb6035a65cc1678431f5e9d5c4a4bfb4687880cd93e05cfb9ecd3ce
SHA512

eb780548bb09b8aaeb0f3ff5fa80f4d7f66a74e3d5993a81dc0612d35172fe7e6bfeeb431f0b03c03faf381ed6aeb97ef5a9ebb112502580f865366da36108d9
SSDEEP

3072:RT1XcGU5ovAE3Qg2mpfhAFAH5lq7jU2QfM9+TsuZf2:RT1X1xAQF2m1hAG6XUTvwuZ+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	fdcqxk.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2540	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2776	3020	66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2684	2776	cmd.exe	32
PID 2776 wrote to memory of 2684	2776	cmd.exe	32
PID 2776 wrote to memory of 2684	2776	cmd.exe	32
PID 2776 wrote to memory of 2684	2776	cmd.exe	32
PID 2776 wrote to memory of 2540	2776	cmd.exe	33
PID 2776 wrote to memory of 2540	2776	cmd.exe	33
PID 2776 wrote to memory of 2540	2776	cmd.exe	33
PID 2776 wrote to memory of 2540	2776	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66c7e89e75643fa41cc599afc4900049_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\czrmbha.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\fdcqxk.exe
    "C:\Users\Admin\AppData\Local\Temp\fdcqxk.exe"
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bowoif.bat

Filesize
170B

MD5
7893300dccf5732c0dd12a11c77be201

SHA1
83bcb81d465146c9a9648609b498963e38149954

SHA256
72908452fc61855bfe319107350e0360cf36fa6123019321bd088df0ddfb6c12

SHA512
17206e61ca71592a8becf537b7a0d03b132424d4a6dbaebd00cfadc41e279f104ae550a94fad4d2683632e6cd128a14f5760f5ef9af49e768bbd44ab863f03a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\czrmbha.bat

Filesize
124B

MD5
b5e4f021a7bf59df705e814a76c10d92

SHA1
78051723ad8215d3bec3ef46003179ad72886769

SHA256
2191cb3f01090921dafe405b3256595af11d78b024ef69a7d9cb501527c0d77b

SHA512
9d1a79da04bdf1eac112a04b61bcb4286d01b3c6b347f14d63cddbbd6213c1d491df944e2f9ccb889a7f1c2b15386c08286edf4a33a5ccf9e178713b19500104

Download Submit
\Users\Admin\AppData\Local\Temp\fdcqxk.exe

Filesize
184KB

MD5
a7cdf937f931085cd09ef8fd81683df2

SHA1
5ca529111e03f884a53ae0819b4e49922c7fe504

SHA256
952c7f9c78140f897345f93c959dec45ef85447f87dfbdc2230992c52b204870

SHA512
778d5f2182d745cbfa3f8322716d71431f2d14106f65c7185a347e4f5c79e41ca7a794fc279f07b5109a086c55545dd8584f30805c29fbf40d7a93f59413bdb7

Download Submit