Analysis
-
max time kernel
1s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
-
Size
177KB
-
MD5
f57ef56616de54fc88e803abf57cdab4
-
SHA1
e5938463fd7895cc07a0a38cfd401660dcc333a8
-
SHA256
13ac9d5ce9f34c40884f67e0767d87d8fc5a705fe8d4ebaa1773ea8626a2e468
-
SHA512
5ab487aee65f7527e4861f1626e900bbe749a04279556b99d8da53aff3e88ccbe4f100fe43c9adb504305ecdae4ea2699ad22fd8eea7dbff4cf4cee1a08bf502
-
SSDEEP
3072:bnrRqBYMmJGOyXmRWyE+4NQNIDYw2az/aLOGBiVqzJqvvr9y2/DhmOCQZF5G7cxh:bSDBO5Vn4YwN2fYqNqvT9JbIMF8gN/
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/shell_reverse_tcp
192.168.1.21:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
4444.exe4444.exepid process 4848 4444.exe 872 4444.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4444.exedescription pid process target process PID 4848 set thread context of 872 4848 4444.exe 4444.exe PID 4848 set thread context of 872 4848 4444.exe 4444.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4864 872 WerFault.exe 4444.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe4444.exedescription pid process target process PID 3300 wrote to memory of 4848 3300 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 3300 wrote to memory of 4848 3300 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 3300 wrote to memory of 4848 3300 f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe 4444.exe PID 4848 wrote to memory of 872 4848 4444.exe 4444.exe PID 4848 wrote to memory of 872 4848 4444.exe 4444.exe PID 4848 wrote to memory of 872 4848 4444.exe 4444.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4444.exe"C:\Users\Admin\AppData\Local\Temp\4444.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 2684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 872 -ip 8721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4444.exeFilesize
69KB
MD5072e42b025e88144e21f26e6286fa39d
SHA1a1595a95bebfc8fecb58f8eb62140a150c1f366b
SHA256a0f2c78653e8c527d19cd764cc901c95a62b9dd89abe2e98f64dcdb268b4fbaf
SHA51269d8f216446041c4ed89e7d6488d6271c895b74370e771aa5c4efac72003e472e585562f31324303fba53c30b214295482d8a9eb4731a4805e119ce6b5e6ed31
-
C:\Users\Admin\AppData\Local\Temp\hacknowfr.exeFilesize
239KB
MD5d549eed7c940512dd522d075660838f2
SHA19d8a5fb1889fc01a881036aa69dd4a143b773f4c
SHA25694a682801f158c58c4cee8aa35ef49ae1e8a87f8ad8ff8dac8b48671b3f12735
SHA5124a9c36dc8a98c926eed91aedcafbdfbe9271e0132d8bce7d14874a17594cc4259c8922b5e111e9d9904c7ae5451b40a2bfb5e21368c629191747a3b1121780e6
-
memory/872-24-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/872-26-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/872-28-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/4848-14-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB
-
memory/4848-27-0x0000000000400000-0x000000000041B0B7-memory.dmpFilesize
108KB