Analysis
-
max time kernel
1s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 09:47
General
-
Target
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
-
Size
177KB
-
MD5
f57ef56616de54fc88e803abf57cdab4
-
SHA1
e5938463fd7895cc07a0a38cfd401660dcc333a8
-
SHA256
13ac9d5ce9f34c40884f67e0767d87d8fc5a705fe8d4ebaa1773ea8626a2e468
-
SHA512
5ab487aee65f7527e4861f1626e900bbe749a04279556b99d8da53aff3e88ccbe4f100fe43c9adb504305ecdae4ea2699ad22fd8eea7dbff4cf4cee1a08bf502
-
SSDEEP
3072:bnrRqBYMmJGOyXmRWyE+4NQNIDYw2az/aLOGBiVqzJqvvr9y2/DhmOCQZF5G7cxh:bSDBO5Vn4YwN2fYqNqvT9JbIMF8gN/
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/shell_reverse_tcp
192.168.1.21:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 2684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 872 -ip 8721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4444.exeFilesize
69KB
MD5072e42b025e88144e21f26e6286fa39d
SHA1a1595a95bebfc8fecb58f8eb62140a150c1f366b
SHA256a0f2c78653e8c527d19cd764cc901c95a62b9dd89abe2e98f64dcdb268b4fbaf
SHA51269d8f216446041c4ed89e7d6488d6271c895b74370e771aa5c4efac72003e472e585562f31324303fba53c30b214295482d8a9eb4731a4805e119ce6b5e6ed31
-
C:\Users\Admin\AppData\Local\Temp\hacknowfr.exeFilesize
239KB
MD5d549eed7c940512dd522d075660838f2
SHA19d8a5fb1889fc01a881036aa69dd4a143b773f4c
SHA25694a682801f158c58c4cee8aa35ef49ae1e8a87f8ad8ff8dac8b48671b3f12735
SHA5124a9c36dc8a98c926eed91aedcafbdfbe9271e0132d8bce7d14874a17594cc4259c8922b5e111e9d9904c7ae5451b40a2bfb5e21368c629191747a3b1121780e6
-
memory/872-24-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/872-26-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/872-28-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/4848-14-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/4848-27-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB