Analysis
-
max time kernel
4s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 13:56
Behavioral task
behavioral1
Sample
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
-
Size
107KB
-
MD5
f3a255cd5e198a6a1518c8cab2c0ac2f
-
SHA1
700434728083617c758d4c893959e2e63562b353
-
SHA256
5ce3f9c4752da334a00af6aa22550da57e77adab646b3774c6d9eeabe2f2ccd5
-
SHA512
0b33d534858bd56f375323f42bb6046d9082a1dbf437f665ebc8a38c22643309c6d40d484f8532c36ab7a82d4b7f162e0bf6a3274ed47b67a083b1b6870cf2ed
-
SSDEEP
3072:cgZoEWJnMecMTMD8+ZMzyBygGUxCPfgLy6W:d6JnRTf+LBygb1Ly6
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4532 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\msconfig.com" f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\msconfig.com" f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription ioc process File created C:\Windows\msconfig.com f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe File opened for modification C:\Windows\msconfig.com f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exepid process 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exedescription pid process target process PID 5048 wrote to memory of 3972 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 5048 wrote to memory of 3972 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 5048 wrote to memory of 3972 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe cmd.exe PID 5048 wrote to memory of 3392 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Explorer.EXE PID 5048 wrote to memory of 3392 5048 f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fwadd.bat" "3⤵PID:3972
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe" "System Services Monitor" ENABLE4⤵
- Modifies Windows Firewall
PID:4532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\fwadd.batFilesize
173B
MD508f29a4cbcc5a1cdcfbfe4835d8b09cf
SHA1d45d861790c8aabada626c8882df8c2bb1326deb
SHA256d159043a90a1907e54cc41f22f06302233bec031a381b2aa61ceb2a705763fa6
SHA512db3bd3ace6bb8b2f66ed9188d9618e7e3476f73bc06f81351a2cb78c7b6cc20778173a078306e0cf23e879262369191d59808038bd980ad769f4f1d73b8eb29c
-
memory/5048-5-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/5048-6-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB