Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 17:44
Behavioral task
behavioral1
Sample
f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll
-
Size
9KB
-
MD5
f8772b9a80138cd39a71f4faac388e49
-
SHA1
407a90f3af90cb6bd8b8fa63990bd71409556da0
-
SHA256
432b4e84ec739ebeac84485407f087223331eaef24c6c7b133c353c618ccec8b
-
SHA512
86fa0352c0f14f9bbfeec86905e3c643a7e968a8a610b51c6a9229197d7d394c1c0f7b2d30467ea481f4d8b59315b891d7e419bf9dd785bda962d797e8c06fbf
-
SSDEEP
96:jQ3Zn/2CiXsLex50FaCRwIvvwF+k4s/DjiWjOr2a0cZYynqjfQaJotQPKu:c/tiXsLecRXvvrASWjOPYHjJotU
Malware Config
Extracted
metasploit
windows/download_exec
http://192.168.1.104:8892/M4yb
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28 PID 2176 wrote to memory of 1968 2176 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#12⤵PID:1968
-