Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe
-
Size
255KB
-
MD5
f321637df3c8907b2f73bec2fc6eaec6
-
SHA1
56a916846962e81352c63026533d623aa9e9da4f
-
SHA256
3a24f1707ab7f97b0b8ca4ffb5b2237a1b9b867f21d4e88c18fcfd8e4d38ccbc
-
SHA512
6017720c2b805ea4ff9fc559439f0c636373c7d898a49c622f2f8f0f276e996f60ce9894c6b657cc4c47467ba4bfb221c471737e3ed1c388f1317e118f85f79a
-
SSDEEP
3072:0/wQZtZRx5Jx0Lm2U3FEwAXDLXZAXT7xbRk2B:0dv3Umt6XDVAXJRf
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
wmpdr64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpdr64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdr64.exe = "C:\\Windows\\SysWOW64\\wmpdr64.exe:*:Enabled:Windows Media Driver" wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpdr64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdr64.exe = "C:\\Windows\\SysWOW64\\wmpdr64.exe:*:Enabled:Windows Media Driver" wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpdr64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
wmpdr64.exepid process 1860 wmpdr64.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpdr64.exewmpdr64.exepid process 3528 wmpdr64.exe 1860 wmpdr64.exe -
Processes:
resource yara_rule behavioral2/memory/2120-0-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/2120-2-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/2120-4-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/2120-38-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-43-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-44-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-45-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-46-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-47-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-48-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1860-54-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wmpdr64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Driver = "C:\\Windows\\SysWOW64\\wmpdr64.exe" wmpdr64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exewmpdr64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdr64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdr64.exe -
Drops file in System32 directory 5 IoCs
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exewmpdr64.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpdr64.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpdr64.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpdr64.exe File opened for modification C:\Windows\SysWOW64\wmpdr64.exe wmpdr64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exewmpdr64.exedescription pid process target process PID 1372 set thread context of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 3528 set thread context of 1860 3528 wmpdr64.exe wmpdr64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exewmpdr64.exepid process 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe 1860 wmpdr64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exef321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exewmpdr64.exewmpdr64.exedescription pid process target process PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 1372 wrote to memory of 2120 1372 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe PID 2120 wrote to memory of 3528 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe wmpdr64.exe PID 2120 wrote to memory of 3528 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe wmpdr64.exe PID 2120 wrote to memory of 3528 2120 f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 3528 wrote to memory of 1860 3528 wmpdr64.exe wmpdr64.exe PID 1860 wrote to memory of 3332 1860 wmpdr64.exe Explorer.EXE PID 1860 wrote to memory of 3332 1860 wmpdr64.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f321637df3c8907b2f73bec2fc6eaec6_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\wmpdr64.exe"C:\Windows\SysWOW64\wmpdr64.exe" C:\Users\Admin\AppData\Local\Temp\F32163~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\wmpdr64.exe"C:\Windows\SysWOW64\wmpdr64.exe" C:\Users\Admin\AppData\Local\Temp\F32163~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpdr64.exeFilesize
255KB
MD5f321637df3c8907b2f73bec2fc6eaec6
SHA156a916846962e81352c63026533d623aa9e9da4f
SHA2563a24f1707ab7f97b0b8ca4ffb5b2237a1b9b867f21d4e88c18fcfd8e4d38ccbc
SHA5126017720c2b805ea4ff9fc559439f0c636373c7d898a49c622f2f8f0f276e996f60ce9894c6b657cc4c47467ba4bfb221c471737e3ed1c388f1317e118f85f79a
-
memory/1860-43-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-44-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-45-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-46-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-47-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-48-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1860-54-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2120-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2120-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2120-4-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2120-38-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB