Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
-
Size
177KB
-
MD5
f57ef56616de54fc88e803abf57cdab4
-
SHA1
e5938463fd7895cc07a0a38cfd401660dcc333a8
-
SHA256
13ac9d5ce9f34c40884f67e0767d87d8fc5a705fe8d4ebaa1773ea8626a2e468
-
SHA512
5ab487aee65f7527e4861f1626e900bbe749a04279556b99d8da53aff3e88ccbe4f100fe43c9adb504305ecdae4ea2699ad22fd8eea7dbff4cf4cee1a08bf502
-
SSDEEP
3072:bnrRqBYMmJGOyXmRWyE+4NQNIDYw2az/aLOGBiVqzJqvvr9y2/DhmOCQZF5G7cxh:bSDBO5Vn4YwN2fYqNqvT9JbIMF8gN/
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/shell_reverse_tcp
192.168.1.21:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
4444.exe4444.exepid process 2620 4444.exe 2432 4444.exe -
Loads dropped DLL 9 IoCs
Processes:
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe4444.exe4444.exepid process 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 2620 4444.exe 2620 4444.exe 2620 4444.exe 2620 4444.exe 2432 4444.exe 2432 4444.exe 2432 4444.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
4444.exedescription pid process target process PID 2620 set thread context of 2432 2620 4444.exe 4444.exe PID 2620 set thread context of 2432 2620 4444.exe 4444.exe PID 2620 set thread context of 2432 2620 4444.exe 4444.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe4444.exedescription pid process target process PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2904 wrote to memory of 2620 2904 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe PID 2620 wrote to memory of 2432 2620 4444.exe 4444.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hacknowfr.exeFilesize
239KB
MD5d549eed7c940512dd522d075660838f2
SHA19d8a5fb1889fc01a881036aa69dd4a143b773f4c
SHA25694a682801f158c58c4cee8aa35ef49ae1e8a87f8ad8ff8dac8b48671b3f12735
SHA5124a9c36dc8a98c926eed91aedcafbdfbe9271e0132d8bce7d14874a17594cc4259c8922b5e111e9d9904c7ae5451b40a2bfb5e21368c629191747a3b1121780e6
-
\Users\Admin\AppData\Local\Temp\4444.exeFilesize
69KB
MD5072e42b025e88144e21f26e6286fa39d
SHA1a1595a95bebfc8fecb58f8eb62140a150c1f366b
SHA256a0f2c78653e8c527d19cd764cc901c95a62b9dd89abe2e98f64dcdb268b4fbaf
SHA51269d8f216446041c4ed89e7d6488d6271c895b74370e771aa5c4efac72003e472e585562f31324303fba53c30b214295482d8a9eb4731a4805e119ce6b5e6ed31
-
memory/2432-38-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/2432-39-0x0000000000020000-0x000000000003C000-memory.dmpFilesize
112KB
-
memory/2432-41-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/2620-36-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/2620-37-0x00000000003E0000-0x00000000003FC000-memory.dmpFilesize
112KB
-
memory/2620-35-0x0000000000020000-0x000000000003C000-memory.dmpFilesize
112KB
-
memory/2620-34-0x0000000000020000-0x000000000003C000-memory.dmpFilesize
112KB
-
memory/2620-30-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/2620-40-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/2904-12-0x0000000000500000-0x000000000051C000-memory.dmpFilesize
112KB
-
memory/2904-5-0x0000000000500000-0x000000000051C000-memory.dmpFilesize
112KB