Analysis Overview
SHA256
432b4e84ec739ebeac84485407f087223331eaef24c6c7b133c353c618ccec8b
Threat Level: Known bad
The file f8772b9a80138cd39a71f4faac388e49_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Metasploit family
MetaSploit
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-18 17:44
Signatures
Metasploit family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 17:44
Reported
2024-04-18 17:46
Platform
win7-20240319-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
MetaSploit
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.104:8892 | tcp | |
| N/A | 192.168.1.104:8892 | tcp |
Files
memory/1968-0-0x00000000002D0000-0x00000000002D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 17:44
Reported
2024-04-18 17:46
Platform
win10v2004-20240412-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
MetaSploit
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3852 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3852 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3852 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| N/A | 192.168.1.104:8892 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/3756-0-0x0000000002410000-0x0000000002411000-memory.dmp