Analysis
-
max time kernel
4s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 13:56
Behavioral task
behavioral1
Sample
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
-
Size
107KB
-
MD5
f3a255cd5e198a6a1518c8cab2c0ac2f
-
SHA1
700434728083617c758d4c893959e2e63562b353
-
SHA256
5ce3f9c4752da334a00af6aa22550da57e77adab646b3774c6d9eeabe2f2ccd5
-
SHA512
0b33d534858bd56f375323f42bb6046d9082a1dbf437f665ebc8a38c22643309c6d40d484f8532c36ab7a82d4b7f162e0bf6a3274ed47b67a083b1b6870cf2ed
-
SSDEEP
3072:cgZoEWJnMecMTMD8+ZMzyBygGUxCPfgLy6W:d6JnRTf+LBygb1Ly6
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1060 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\msconfig.com" f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\msconfig.com" f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\msconfig.com f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe File created C:\Windows\msconfig.com f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exepid process 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription pid process target process PID 2060 wrote to memory of 2316 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 2060 wrote to memory of 2316 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 2060 wrote to memory of 2316 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 2060 wrote to memory of 2316 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 2060 wrote to memory of 1196 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Explorer.EXE PID 2060 wrote to memory of 1196 2060 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fwadd.bat" "3⤵PID:2316
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe" "System Services Monitor" ENABLE4⤵
- Modifies Windows Firewall
PID:1060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\fwadd.batFilesize
173B
MD508f29a4cbcc5a1cdcfbfe4835d8b09cf
SHA1d45d861790c8aabada626c8882df8c2bb1326deb
SHA256d159043a90a1907e54cc41f22f06302233bec031a381b2aa61ceb2a705763fa6
SHA512db3bd3ace6bb8b2f66ed9188d9618e7e3476f73bc06f81351a2cb78c7b6cc20778173a078306e0cf23e879262369191d59808038bd980ad769f4f1d73b8eb29c
-
memory/1196-9-0x0000000003E00000-0x0000000003E01000-memory.dmpFilesize
4KB
-
memory/1196-10-0x0000000003E00000-0x0000000003E01000-memory.dmpFilesize
4KB
-
memory/2060-12-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB