Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 18:02
General
-
Target
f87d227c239f2153debe2ed82b791af4_JaffaCakes118.exe
-
Size
184KB
-
MD5
f87d227c239f2153debe2ed82b791af4
-
SHA1
86b7ca4b65925fe8c34346824e7514dec9bc4dc9
-
SHA256
0e3bd9a2273d23017ac49410da451bd01b9972f14a6fbac0551dc45a77e86da5
-
SHA512
cf5fd3e38a2bb4115949cc609c63f436c18538a32986c0b1b314b8c73c86454b2a3a76f9d9b440d31f4176ceb9d924e590a696c06b1030825656140649aeeb51
-
SSDEEP
3072:42cek9K+k7JeRFr/mt+YrxLbaQrhnUn0NwSsSaD6wtADYzaiFw9Rykw9sQ4SKRfk:42cekCqJzQLbd9p28i2dEsVSI8
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry 3 TTPs 24 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 36 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87d227c239f2153debe2ed82b791af4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f87d227c239f2153debe2ed82b791af4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f87d227c239f2153debe2ed82b791af4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f87d227c239f2153debe2ed82b791af4_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\F87D22~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Users\Admin\AppData\Local\Temp\F87D22~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\SysWOW64\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxpk32.exe"C:\Windows\system32\igfxpk32.exe" C:\Windows\SysWOW64\igfxpk32.exe25⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\igfxpk32.exeFilesize
184KB
MD5f87d227c239f2153debe2ed82b791af4
SHA186b7ca4b65925fe8c34346824e7514dec9bc4dc9
SHA2560e3bd9a2273d23017ac49410da451bd01b9972f14a6fbac0551dc45a77e86da5
SHA512cf5fd3e38a2bb4115949cc609c63f436c18538a32986c0b1b314b8c73c86454b2a3a76f9d9b440d31f4176ceb9d924e590a696c06b1030825656140649aeeb51
-
memory/1468-91-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/1468-83-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/1612-60-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/1904-121-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2100-151-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2180-136-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2288-106-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2652-181-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2736-46-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/2740-74-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3004-32-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3004-28-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3004-27-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3004-26-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-0-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-16-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-8-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-7-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-6-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-4-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-2-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3020-3-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB
-
memory/3048-166-0x0000000037170000-0x00000000371D5000-memory.dmpFilesize
404KB