Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
-
Size
7.6MB
-
MD5
f8c6f91efa4817c54c437e33b9846157
-
SHA1
0d16268bef3a1489477deafa8e9b157259472590
-
SHA256
bebc94d1ba964a1cc1b23acfeb8b4ec4a5457649cf203e58c0e93c0161a0bf78
-
SHA512
b1b99e623044addcc59888638282d24d06ad1ab7043ba13d90ddaca9d26a7ee8d7742d6ece62d02735095699dd682f358b47abb4f7e72a92e3daa0d0c379401e
-
SSDEEP
196608:7TIrok2A+V/Dn9PzEhYq/GTH60OPsXjZNZwgz+MgF+64ju:7crok2AY7NgWqNDPsz/+Q64S
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
176.221.252.198:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation ll.exe -
Executes dropped EXE 2 IoCs
pid Process 2980 ll.exe 4428 lol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Programes\Power\lol.exe:Zone.Identifier cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3340 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3340 POWERPNT.EXE 3340 POWERPNT.EXE 3340 POWERPNT.EXE 3340 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4820 wrote to memory of 2980 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 90 PID 4820 wrote to memory of 2980 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 90 PID 4820 wrote to memory of 2980 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 90 PID 4820 wrote to memory of 3340 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 92 PID 4820 wrote to memory of 3340 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 92 PID 4820 wrote to memory of 3340 4820 f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe 92 PID 2980 wrote to memory of 3788 2980 ll.exe 93 PID 2980 wrote to memory of 3788 2980 ll.exe 93 PID 3788 wrote to memory of 4428 3788 cmd.exe 96 PID 3788 wrote to memory of 4428 3788 cmd.exe 96 PID 3788 wrote to memory of 4428 3788 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Programes\Power\ll.exe"C:\Programes\Power\ll.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat C:\Programes\Power\ll.exe"3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Programes\Power\lol.exelol.exe4⤵
- Executes dropped EXE
PID:4428
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Programes\Power\prev.pptx" /ou ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5f59d5f571baa32085623e50216883cb0
SHA1c53dc803a0a18d3ab05259bb92abbf3182747d6b
SHA256d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c
SHA512fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7
-
Filesize
7.3MB
MD5bb1f9c3f2eb93358942d23995990b254
SHA19303c176a3f5c409381af91bc86160fc2cc483ba
SHA25668f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea
SHA5121396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
30KB
MD5d1ad83616f64413a9afa8d55acad1e23
SHA1e61e00403eb66d26dfe97c654af3d6e30e674927
SHA256532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3
SHA51291c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f
-
Filesize
75B
MD5ba6af7d6d40086090929b59917b75dd5
SHA1c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db
SHA2560c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f
SHA5122a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53
-
Filesize
217B
MD537bfa7e4024092f51555e1fbf3140751
SHA17c68c2d66281c5ac2c1b9b2a6ec164864370f790
SHA25633c9be9190f3dd9aadc78d6978d413b20a1ded86c7902149dfdfd2b87c750b7e
SHA512558a6ebfcad0aa957498586ccf11bd578eab281355f9310657095d906669e0a6ce8490266d1eca9d41b216171ae51ad8e4d4b3dcc24ca212e82c78f0e7816891