Analysis
-
max time kernel
139s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 05:31
Static task
static1
Behavioral task
behavioral1
Sample
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
-
Size
228KB
-
MD5
f99b3b75f86bb6e275b7500fefe178ef
-
SHA1
b31f72450b435373e6a1d2d77092d0cc33d7580a
-
SHA256
81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
-
SHA512
3441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c
-
SSDEEP
3072:bsu3qM4wU4qOC1eljl+G4OKHfdOAfRw3y1hdlUVaZb2N9RUN1tCeTb:VqM4DfWjl+VpHfdOShr4a92DGN1Db
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
pid Process 2608 winIogon.exe 2524 winIogon.exe 2452 winIogon.exe 2900 winIogon.exe 568 winIogon.exe 2580 winIogon.exe 368 winIogon.exe 2664 winIogon.exe 1320 winIogon.exe 1536 winIogon.exe 1008 winIogon.exe 1716 winIogon.exe 1968 winIogon.exe 752 winIogon.exe 1504 winIogon.exe 3036 winIogon.exe 2592 winIogon.exe 2532 winIogon.exe 2400 winIogon.exe 2420 winIogon.exe -
Loads dropped DLL 21 IoCs
pid Process 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 2608 winIogon.exe 2524 winIogon.exe 2524 winIogon.exe 2900 winIogon.exe 2900 winIogon.exe 2580 winIogon.exe 2580 winIogon.exe 2664 winIogon.exe 2664 winIogon.exe 1536 winIogon.exe 1536 winIogon.exe 1716 winIogon.exe 1716 winIogon.exe 752 winIogon.exe 752 winIogon.exe 3036 winIogon.exe 3036 winIogon.exe 2532 winIogon.exe 2532 winIogon.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 3008 set thread context of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 2608 set thread context of 2524 2608 winIogon.exe 30 PID 2452 set thread context of 2900 2452 winIogon.exe 32 PID 568 set thread context of 2580 568 winIogon.exe 34 PID 368 set thread context of 2664 368 winIogon.exe 38 PID 1320 set thread context of 1536 1320 winIogon.exe 40 PID 1008 set thread context of 1716 1008 winIogon.exe 42 PID 1968 set thread context of 752 1968 winIogon.exe 44 PID 1504 set thread context of 3036 1504 winIogon.exe 46 PID 2592 set thread context of 2532 2592 winIogon.exe 48 PID 2400 set thread context of 2420 2400 winIogon.exe 50 -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 2608 winIogon.exe 2452 winIogon.exe 568 winIogon.exe 368 winIogon.exe 1320 winIogon.exe 1008 winIogon.exe 1968 winIogon.exe 1504 winIogon.exe 2592 winIogon.exe 2400 winIogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 3008 wrote to memory of 2072 3008 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2608 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2608 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2608 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2608 2072 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 29 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2608 wrote to memory of 2524 2608 winIogon.exe 30 PID 2524 wrote to memory of 2452 2524 winIogon.exe 31 PID 2524 wrote to memory of 2452 2524 winIogon.exe 31 PID 2524 wrote to memory of 2452 2524 winIogon.exe 31 PID 2524 wrote to memory of 2452 2524 winIogon.exe 31 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2452 wrote to memory of 2900 2452 winIogon.exe 32 PID 2900 wrote to memory of 568 2900 winIogon.exe 33 PID 2900 wrote to memory of 568 2900 winIogon.exe 33 PID 2900 wrote to memory of 568 2900 winIogon.exe 33 PID 2900 wrote to memory of 568 2900 winIogon.exe 33 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 568 wrote to memory of 2580 568 winIogon.exe 34 PID 2580 wrote to memory of 368 2580 winIogon.exe 37 PID 2580 wrote to memory of 368 2580 winIogon.exe 37 PID 2580 wrote to memory of 368 2580 winIogon.exe 37 PID 2580 wrote to memory of 368 2580 winIogon.exe 37 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 368 wrote to memory of 2664 368 winIogon.exe 38 PID 2664 wrote to memory of 1320 2664 winIogon.exe 39 PID 2664 wrote to memory of 1320 2664 winIogon.exe 39 PID 2664 wrote to memory of 1320 2664 winIogon.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 472 "C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1008 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 508 "C:\Windows\SysWOW64\winIogon.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2400 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5f99b3b75f86bb6e275b7500fefe178ef
SHA1b31f72450b435373e6a1d2d77092d0cc33d7580a
SHA25681891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
SHA5123441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c