Analysis
-
max time kernel
158s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 09:35
General
-
Target
f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
f7b95748be0dcb35fd6e9082c3e758f4
-
SHA1
56056e7b42ce97cfff697bb8c912dab1d700c038
-
SHA256
8223d57e113fdab4003cbdb87d78e399ed84c4b13a65c4790a36cdddc3484b48
-
SHA512
9643c80d871208c0486635e742745399a6b9d30de33777de25e24c29da634e271c5b3bedcaf81e34888e6017afe1a40867bfee198a186a0c8b0d6329a6136f09
-
SSDEEP
24576:pfBc0H7qvHHwvb7YccVlxUioAJje9E7+j+Y/qN5FzFRd2H/zzNt7Y6mQ6QUzGjpn:pf2G79v/xSHzBJ6WC+j2bpW+6Q4GIP
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/fnstenv_mov
Signatures
-
Detect Lumma Stealer payload V4 23 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 40 IoCs
-
Themida packer 29 IoCs
Detects Themida, an advanced Windows software protection system.
-
Drops file in System32 directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exe"C:\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MINE.exe"C:\Users\Admin\AppData\Local\Temp\MINE.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 720 "C:\Users\Admin\AppData\Local\Temp\MINE.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 784 "C:\Windows\SysWOW64\windows_update.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 776 "C:\Windows\SysWOW64\windows_update.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 812 "C:\Windows\SysWOW64\windows_update.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 816 "C:\Windows\SysWOW64\windows_update.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5748bce4dacebbbd388af154a1df22078
SHA10eeeb108678f819cd437d53b927feedf36aabc64
SHA2561585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD5117efa689c5631c1a1ee316f123182bd
SHA1f477bf1e9f4db8452bd9fe314cd18715f7045689
SHA25679ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7
SHA512abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671
-
C:\a.batFilesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
\Users\Admin\AppData\Local\Temp\MINE.exeFilesize
1.4MB
MD59c0595fe4367e61e2e578ef6fa5e3d0f
SHA199a64947b86b69e2dda873076e18433a63338729
SHA25660591d011a090da281ada86b6b9d505e7faa491ce23304b74f7e243a973d5714
SHA512898712fa3192ccdfbb0346119357bada0839d58d095c18099ac839778b10eb13372618bf0ad0187b4a4526f95a6058bb5bbcd137046bbfb7ef19c60fa0417c85
-
\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exeFilesize
76KB
MD59107c5b32cdddbde5f90651e763c0353
SHA1f20da90385e3b6d05daa2f8dcbbd571305315255
SHA25601f36bdf56a2f3a2fd7ad8eb4de378492039c554569080a664ef39dfa0a4354e
SHA5129d2c1e62118395c9f9490daa2fb67cb557b26bfe9dd1a7cf6fecdb0e61f7355116e005b0830cbfaec5144006bd6a63c8963c556dd50dc46ca92898d732171834
-
memory/1280-1096-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/1280-1090-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2008-294-0x0000000004690000-0x0000000004692000-memory.dmpFilesize
8KB
-
memory/2008-297-0x00000000046C0000-0x00000000046C2000-memory.dmpFilesize
8KB
-
memory/2008-175-0x0000000001130000-0x0000000001504000-memory.dmpFilesize
3.8MB
-
memory/2008-177-0x0000000001130000-0x0000000001504000-memory.dmpFilesize
3.8MB
-
memory/2008-312-0x0000000001130000-0x0000000001504000-memory.dmpFilesize
3.8MB
-
memory/2008-310-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2008-305-0x0000000004C90000-0x0000000005064000-memory.dmpFilesize
3.8MB
-
memory/2008-302-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2008-298-0x0000000004610000-0x0000000004612000-memory.dmpFilesize
8KB
-
memory/2008-184-0x0000000001130000-0x0000000001504000-memory.dmpFilesize
3.8MB
-
memory/2008-174-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2008-295-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/2008-193-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2056-827-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2056-834-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2148-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2148-19-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2436-447-0x0000000000D40000-0x0000000001114000-memory.dmpFilesize
3.8MB
-
memory/2436-445-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2436-576-0x0000000000D40000-0x0000000001114000-memory.dmpFilesize
3.8MB
-
memory/2436-574-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2436-567-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2436-565-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/2436-455-0x00000000046C0000-0x00000000046C2000-memory.dmpFilesize
8KB
-
memory/2436-496-0x0000000004690000-0x0000000004692000-memory.dmpFilesize
8KB
-
memory/2436-457-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2436-448-0x0000000000D40000-0x0000000001114000-memory.dmpFilesize
3.8MB
-
memory/2568-150-0x0000000004390000-0x0000000004391000-memory.dmpFilesize
4KB
-
memory/2568-159-0x0000000004540000-0x0000000004541000-memory.dmpFilesize
4KB
-
memory/2568-146-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2568-147-0x0000000004530000-0x0000000004532000-memory.dmpFilesize
8KB
-
memory/2568-148-0x0000000004320000-0x0000000004321000-memory.dmpFilesize
4KB
-
memory/2568-149-0x0000000004340000-0x0000000004341000-memory.dmpFilesize
4KB
-
memory/2568-34-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/2568-152-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/2568-35-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2568-144-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/2568-170-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2568-154-0x00000000043C0000-0x00000000043C1000-memory.dmpFilesize
4KB
-
memory/2568-145-0x0000000004310000-0x0000000004311000-memory.dmpFilesize
4KB
-
memory/2568-153-0x0000000004330000-0x0000000004331000-memory.dmpFilesize
4KB
-
memory/2568-151-0x0000000004380000-0x0000000004381000-memory.dmpFilesize
4KB
-
memory/2568-143-0x00000000043E0000-0x00000000043E1000-memory.dmpFilesize
4KB
-
memory/2568-165-0x0000000004C10000-0x0000000004FE4000-memory.dmpFilesize
3.8MB
-
memory/2568-161-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/2568-22-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2568-23-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2568-24-0x0000000002030000-0x000000000212F000-memory.dmpFilesize
1020KB
-
memory/2568-160-0x0000000004360000-0x0000000004361000-memory.dmpFilesize
4KB
-
memory/2648-25-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2648-21-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2648-20-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2648-303-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2648-166-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2648-301-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2648-176-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2648-26-0x000007FEF58F0000-0x000007FEF628D000-memory.dmpFilesize
9.6MB
-
memory/2648-300-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2648-296-0x0000000000BC0000-0x0000000000C40000-memory.dmpFilesize
512KB
-
memory/2680-442-0x0000000000F40000-0x0000000001314000-memory.dmpFilesize
3.8MB
-
memory/2680-434-0x00000000046B0000-0x00000000046B2000-memory.dmpFilesize
8KB
-
memory/2680-443-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2680-438-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2680-435-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2680-444-0x0000000000F40000-0x0000000001314000-memory.dmpFilesize
3.8MB
-
memory/2680-315-0x0000000000F40000-0x0000000001314000-memory.dmpFilesize
3.8MB
-
memory/2680-314-0x0000000000F40000-0x0000000001314000-memory.dmpFilesize
3.8MB
-
memory/2680-432-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2680-316-0x0000000000F40000-0x0000000001314000-memory.dmpFilesize
3.8MB
-
memory/2680-313-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2680-323-0x00000000046E0000-0x00000000046E2000-memory.dmpFilesize
8KB
-
memory/2860-1217-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/2860-1223-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/3004-573-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/3004-705-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/3004-696-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB
-
memory/3004-575-0x00000000010F0000-0x00000000014C4000-memory.dmpFilesize
3.8MB
-
memory/3028-957-0x0000000000400000-0x00000000007D4000-memory.dmpFilesize
3.8MB