Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 05:31
Static task
static1
Behavioral task
behavioral1
Sample
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
-
Size
228KB
-
MD5
f99b3b75f86bb6e275b7500fefe178ef
-
SHA1
b31f72450b435373e6a1d2d77092d0cc33d7580a
-
SHA256
81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
-
SHA512
3441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c
-
SSDEEP
3072:bsu3qM4wU4qOC1eljl+G4OKHfdOAfRw3y1hdlUVaZb2N9RUN1tCeTb:VqM4DfWjl+VpHfdOShr4a92DGN1Db
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
pid Process 3940 winIogon.exe 2416 winIogon.exe 492 winIogon.exe 452 winIogon.exe 4968 winIogon.exe 2648 winIogon.exe 3152 winIogon.exe 1780 winIogon.exe 3004 winIogon.exe 2564 winIogon.exe 2164 winIogon.exe 3376 winIogon.exe 1512 winIogon.exe 4404 winIogon.exe 1084 winIogon.exe 4432 winIogon.exe 5000 winIogon.exe 3152 winIogon.exe 2504 winIogon.exe 3252 winIogon.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe File created C:\Windows\SysWOW64\winIogon.exe winIogon.exe File opened for modification C:\Windows\SysWOW64\winIogon.exe winIogon.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 2608 set thread context of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 3940 set thread context of 2416 3940 winIogon.exe 96 PID 492 set thread context of 452 492 winIogon.exe 104 PID 4968 set thread context of 2648 4968 winIogon.exe 108 PID 3152 set thread context of 1780 3152 winIogon.exe 111 PID 3004 set thread context of 2564 3004 winIogon.exe 113 PID 2164 set thread context of 3376 2164 winIogon.exe 115 PID 1512 set thread context of 4404 1512 winIogon.exe 117 PID 1084 set thread context of 4432 1084 winIogon.exe 119 PID 5000 set thread context of 3152 5000 winIogon.exe 121 PID 2504 set thread context of 3252 2504 winIogon.exe 123 -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 3940 winIogon.exe 492 winIogon.exe 4968 winIogon.exe 3152 winIogon.exe 3004 winIogon.exe 2164 winIogon.exe 1512 winIogon.exe 1084 winIogon.exe 5000 winIogon.exe 2504 winIogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2608 wrote to memory of 2136 2608 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 92 PID 2136 wrote to memory of 3940 2136 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 95 PID 2136 wrote to memory of 3940 2136 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 95 PID 2136 wrote to memory of 3940 2136 f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe 95 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 3940 wrote to memory of 2416 3940 winIogon.exe 96 PID 2416 wrote to memory of 492 2416 winIogon.exe 103 PID 2416 wrote to memory of 492 2416 winIogon.exe 103 PID 2416 wrote to memory of 492 2416 winIogon.exe 103 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 492 wrote to memory of 452 492 winIogon.exe 104 PID 452 wrote to memory of 4968 452 winIogon.exe 107 PID 452 wrote to memory of 4968 452 winIogon.exe 107 PID 452 wrote to memory of 4968 452 winIogon.exe 107 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 4968 wrote to memory of 2648 4968 winIogon.exe 108 PID 2648 wrote to memory of 3152 2648 winIogon.exe 110 PID 2648 wrote to memory of 3152 2648 winIogon.exe 110 PID 2648 wrote to memory of 3152 2648 winIogon.exe 110 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 3152 wrote to memory of 1780 3152 winIogon.exe 111 PID 1780 wrote to memory of 3004 1780 winIogon.exe 112 PID 1780 wrote to memory of 3004 1780 winIogon.exe 112 PID 1780 wrote to memory of 3004 1780 winIogon.exe 112 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 3004 wrote to memory of 2564 3004 winIogon.exe 113 PID 2564 wrote to memory of 2164 2564 winIogon.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 972 "C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1124 "C:\Windows\SysWOW64\winIogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2164 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1084 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 984 "C:\Windows\SysWOW64\winIogon.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\winIogon.exeC:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\winIogon.exe"C:\Windows\SysWOW64\winIogon.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5f99b3b75f86bb6e275b7500fefe178ef
SHA1b31f72450b435373e6a1d2d77092d0cc33d7580a
SHA25681891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
SHA5123441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c