Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe
-
Size
383KB
-
MD5
fb4c111ddf3fdc6a5b7ffe7073816562
-
SHA1
3b027b3dc3357fddc43fd1c2ac5f75e8453c6712
-
SHA256
45ae919666be18fbb9a86eba7731513b8ba187252392cf68f5846e925955f2c8
-
SHA512
ecd3cae9f128cc8e43911a93b436c894cbfbc35bee431036aee6bebcd0f4930abc8bc846cde17ac0eb62f90d4418dbdc9317a845ee3a4a694e81596a252d0fc1
-
SSDEEP
6144:Kmrid57rT9V2kWI3G7smpC3bJ544hI0J4lZWp70BsoH8qEZ+C01k4pdvODymlhkY:Km2v7HT3stpOy/lZWkcJ+CqFODycaC
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
awcidr.exehtcf.exepid process 408 awcidr.exe 4116 htcf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exedescription pid process target process PID 2880 wrote to memory of 408 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe awcidr.exe PID 2880 wrote to memory of 408 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe awcidr.exe PID 2880 wrote to memory of 408 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe awcidr.exe PID 2880 wrote to memory of 4116 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe htcf.exe PID 2880 wrote to memory of 4116 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe htcf.exe PID 2880 wrote to memory of 4116 2880 fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe htcf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\awcidr.exeC:\Users\Admin\AppData\Local\Temp\awcidr.exe2⤵
- Executes dropped EXE
PID:408 -
C:\Users\Admin\AppData\Local\Temp\htcf.exeC:\Users\Admin\AppData\Local\Temp\htcf.exe2⤵
- Executes dropped EXE
PID:4116
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\awcidr.exeFilesize
328KB
MD51482cf184afd0e7f9c59c42382201b4a
SHA1baff10fb5f766f6c49ad27288f7e221428f17c37
SHA25637d470d9d2088b24a73b885f2fe6ce52eabec12919756a4c6d06e7ea5b6d70ef
SHA51262ab5bd47695a3ee92a280ffe380487840c888d647e3a06bc45c909ae40dbdb8d688963342fa060f2ecfd9a1f922a8d2f471ea6fc5b586bcdb2ed33b603b1ebc
-
C:\Users\Admin\AppData\Local\Temp\htcf.exeFilesize
52KB
MD56b0d03f641ee2a2401bef42da22fde1a
SHA1a55c2a62c3d15f89673364fab8b820e1fe66262c
SHA2561558d850b6f28eea5684a196966bcbf06aac0ac3abdb86b571355ca41f216481
SHA5124a0fb4da35725b7657e8510bc8767f3695f2bb327c54a2202d68339f60e05675887d1afd9f506435f4bb9f200c6ef82c55b4cfb4eb9841aa3deaac3169a0ccf3
-
memory/408-8-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/408-9-0x0000000000400000-0x00000000005F5000-memory.dmpFilesize
2.0MB
-
memory/408-13-0x0000000000400000-0x00000000005F5000-memory.dmpFilesize
2.0MB
-
memory/408-17-0x0000000000400000-0x00000000005F5000-memory.dmpFilesize
2.0MB
-
memory/408-18-0x00000000024D0000-0x0000000002787000-memory.dmpFilesize
2.7MB
-
memory/4116-10-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4116-11-0x0000000000590000-0x00000000005D2000-memory.dmpFilesize
264KB
-
memory/4116-12-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4116-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4116-20-0x0000000000590000-0x00000000005D2000-memory.dmpFilesize
264KB