Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe
-
Size
5.6MB
-
MD5
f938fc9db448a786e0f335b08d3e49b3
-
SHA1
6c43310964cf66c3122673899164022ff25df508
-
SHA256
36f73e1b174faf36802edbb9cb999a566112fc61aada6a393788593048b7a7a3
-
SHA512
44ad069dfb8c9e646c75ba76439e6d15d33d3f548dccb5d5f14e52f545ab196c4c3ba5f46d4c88158b3abc1cc30d59ff5db6467b142ea975171a7894146abb90
-
SSDEEP
98304:aGdUKip5Wn9VvFeHmi/jmANuvqKmGlSuftdcNSWJVMg2YRW+P2KEkUeQ:ldi3WZi7MqKmGwu1yNSWnV2IW5dJ
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
pid Process 2680 Download_Manager1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine Download_Manager1.exe -
Loads dropped DLL 1 IoCs
pid Process 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: 33 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: 33 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: 33 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe Token: 33 2680 Download_Manager1.exe Token: SeIncBasePriorityPrivilege 2680 Download_Manager1.exe Token: 33 2680 Download_Manager1.exe Token: SeIncBasePriorityPrivilege 2680 Download_Manager1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2680 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2680 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2680 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2680 2240 f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe"C:\Users\Admin\AppData\Local\Temp\Download_Manager1.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe
Filesize17KB
MD58306f3109ad8ffe3cdb2729182d28824
SHA1ebc35a31509b54f0a5538b149a2c2520beb644a7
SHA2568082a7a74ad4d1c1e18a4d5e18e095d1a5ae5d95502cbfb221965f06ef1be2a1
SHA512a7c46a96c059b1e03d4cbdaed25ec7d7388c0feb98ec2defb06ee023a0b9888a83210e3900e36bfa2312b6f96057bb575642559a2cc2babd93c4d281862a92c4