Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 21:21

General

  • Target

    f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe

  • Size

    7.6MB

  • MD5

    f8c6f91efa4817c54c437e33b9846157

  • SHA1

    0d16268bef3a1489477deafa8e9b157259472590

  • SHA256

    bebc94d1ba964a1cc1b23acfeb8b4ec4a5457649cf203e58c0e93c0161a0bf78

  • SHA512

    b1b99e623044addcc59888638282d24d06ad1ab7043ba13d90ddaca9d26a7ee8d7742d6ece62d02735095699dd682f358b47abb4f7e72a92e3daa0d0c379401e

  • SSDEEP

    196608:7TIrok2A+V/Dn9PzEhYq/GTH60OPsXjZNZwgz+MgF+64ju:7crok2AY7NgWqNDPsz/+Q64S

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

176.221.252.198:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Programes\Power\ll.exe
      "C:\Programes\Power\ll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat C:\Programes\Power\ll.exe"
        3⤵
        • NTFS ADS
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Programes\Power\lol.exe
          lol.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2472
    • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Programes\Power\prev.pptx"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2492

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Programes\Power\lol.exe

      Filesize

      7.3MB

      MD5

      bb1f9c3f2eb93358942d23995990b254

      SHA1

      9303c176a3f5c409381af91bc86160fc2cc483ba

      SHA256

      68f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea

      SHA512

      1396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca

    • C:\Programes\Power\lol.exe:Zone.Identifier

      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    • C:\Programes\Power\prev.pptx

      Filesize

      30KB

      MD5

      d1ad83616f64413a9afa8d55acad1e23

      SHA1

      e61e00403eb66d26dfe97c654af3d6e30e674927

      SHA256

      532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3

      SHA512

      91c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f

    • C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat

      Filesize

      75B

      MD5

      ba6af7d6d40086090929b59917b75dd5

      SHA1

      c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db

      SHA256

      0c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f

      SHA512

      2a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53

    • \Programes\Power\ll.exe

      Filesize

      86KB

      MD5

      f59d5f571baa32085623e50216883cb0

      SHA1

      c53dc803a0a18d3ab05259bb92abbf3182747d6b

      SHA256

      d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c

      SHA512

      fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7

    • memory/2444-27-0x000000002DDC1000-0x000000002DDC2000-memory.dmp

      Filesize

      4KB

    • memory/2444-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2444-29-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

      Filesize

      44KB

    • memory/2444-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2444-44-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

      Filesize

      44KB

    • memory/2472-31-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB