Analysis
-
max time kernel
92s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe
-
Size
102KB
-
MD5
f7c288227694f2c5b88d411c576b5213
-
SHA1
08541911d55f1bd8e3981f21fde0378d7c553f51
-
SHA256
8b2e5890687ce54f8ed6b9aac54b0cab0b051c724961b0d3ab22d8b4ef8b7c40
-
SHA512
62ee17a6d5e50d2c4649818c626fd3351c85ffc6f8514c8928ca711f8997aa8f0105d2f788f50f30f2db2adf886568d929f13d33f3ce86c014019fd749a4ade3
-
SSDEEP
3072:LEvW22Z2DdSKp9mGelKwybYFJ8ldPihkGAmGnZE:L1kDdSG9xelZybYJQihkGr
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
127.0.0.1:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
fichier.exepid process 960 fichier.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exedescription pid process target process PID 4164 wrote to memory of 960 4164 f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe fichier.exe PID 4164 wrote to memory of 960 4164 f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe fichier.exe PID 4164 wrote to memory of 960 4164 f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe fichier.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fichier.exe"C:\Users\Admin\AppData\Local\Temp\fichier.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fichier.exeFilesize
72KB
MD54324fb11eed4acde74918ee55b4029e0
SHA192c61bb4817fd95b4f09130cf56bc946a417ce45
SHA2561ba1e4b8fcffb12874f86ec8d459fd963fc063f6ffdc3b4d38cd0cf813ad4a1f
SHA51292149c4d81e4087fb1d7ce3a5aba76475ec247516d5c52d3f02ec9092df80e87ee816fbe2f8f6d5404bb6670fe21c42bdb2db1b0a6c50d415b8fe583affc6ee1
-
memory/960-19-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/4164-0-0x0000000000780000-0x0000000000790000-memory.dmpFilesize
64KB
-
memory/4164-1-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB
-
memory/4164-2-0x0000000005110000-0x00000000051AC000-memory.dmpFilesize
624KB
-
memory/4164-3-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB
-
memory/4164-4-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4164-5-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/4164-6-0x00000000051E0000-0x00000000051EA000-memory.dmpFilesize
40KB
-
memory/4164-7-0x00000000052F0000-0x0000000005346000-memory.dmpFilesize
344KB
-
memory/4164-21-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB