Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Fake!Virus!HarmlessAHAHHA.bat

DOS batch file, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.828341641653711
Filename:	Fake!Virus!HarmlessAHAHHA.bat
Filesize:	1035
MD5:	02e182ff2335b09c3fb195d3ca900217
SHA1:	d58cb1be5233f97fdec08d8302fb74529f2acba3
SHA256:	cc9ff758865bd6167a5cf7c5a40f7d6cf5406707155a45c72877c2d4322b281b
SHA512:	ceb4ce0d8554f336f19057e6f2e560ebad945c89be5caf6bb4d0479492755b5869eed8766b12365dfd5a33606beec248f3e0841189238d8b546444a2f9224c03
SSDEEP:	24:5Bet8c99OvG2Y4f8R6+stZ8qdjM2UaRYRnY/l:5Ba8c99Ovg/6+stDdjMpaRIgl
Preview:	@echo off..color 0a..mode con: cols=80 lines=25..echo...echo Initializing Virus Simulation.....ping -n 2 127.0.0.1 > nul..echo...echo Connecting to central command server.....ping -n 3 127.0.0.1 > nul..echo Connection established...echo...echo Downloading

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.16.dr
ID:	dr_12
Target ID:	16
Process:	C:\Windows\System32\PING.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.92149009030101
Encrypted:	false
Ssdeep:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
Size:	331
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Fake!Virus!HarmlessAHAHHA.bat" "

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 4 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 4 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\mode.com

mode con: cols=80 lines=25

There are 5 hidden processes, click here to show them.

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	4
Current Path:	C:\Windows\System32\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

19702C3E000

heap

page read and write

19702C10000

heap

page read and write

1595DFF000

stack

page read and write

1595CFE000

stack

page read and write

19702E00000

heap

page read and write

19702E20000

heap

page read and write

19702F25000

heap

page read and write

19702C39000

heap

page read and write

1595D7D000

stack

page read and write

19702C30000

heap

page read and write

1595C7C000

stack

page read and write

19702F20000

heap

page read and write

There are 2 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Fake!Virus!HarmlessAHAHHA.bat

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFake!Virus!HarmlessAHAHHA.bat

Files

Processes

IPs

Memdumps

IOC Report
Fake!Virus!HarmlessAHAHHA.bat