Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
19-04-2024 06:44
General
-
Target
f9bb522ae0a4aa47a6d94bc99e215bb6_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
f9bb522ae0a4aa47a6d94bc99e215bb6
-
SHA1
665c41342fa5b963bb29fc78b27fd6798ceb3f4f
-
SHA256
1013ad1290523f5417ed789d11900f8ae804c0d81ed60af75684039fb06223b8
-
SHA512
6a16c60bb872ddfca4d522bd87ebee7010a135287923081a7bf93c3bd3e0805353c241f13634c86523a8e19958a4dd63c81bbbfa63b6a7ec33f67b949415ef8d
-
SSDEEP
49152:pJ2G79v/xSHzBJ6WC+j2bpW+6Q4GIPs7eBl3au:pJ2G7J/xSKWmbp9F4Gr
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
Detect Lumma Stealer payload V4 22 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 42 IoCs
-
Themida packer 29 IoCs
Detects Themida, an advanced Windows software protection system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9bb522ae0a4aa47a6d94bc99e215bb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9bb522ae0a4aa47a6d94bc99e215bb6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Mayoko110.msi"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\MINE.exe"C:\Users\Admin\AppData\Local\Temp\MINE.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 668 "C:\Users\Admin\AppData\Local\Temp\MINE.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 768 "C:\Windows\SysWOW64\windows_update.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 784 "C:\Windows\SysWOW64\windows_update.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 796 "C:\Windows\SysWOW64\windows_update.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 808 "C:\Windows\SysWOW64\windows_update.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 812 "C:\Windows\SysWOW64\windows_update.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 816 "C:\Windows\SysWOW64\windows_update.exe"12⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat13⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
331KB
MD5c6b2b9d56db7b703f815cfb6c3afe15f
SHA1755374a9e93762d5cc954b9ac8b7806b0350f5e9
SHA256f5d26026febd4fb52b651fd2cb0677289a32db2dda7a76fa161a0f72f3e1f7b4
SHA512a1e92ff0aec339275747f86c6261a2e78bd4511b406fd90e22e8514a76bf161c4758135e2142ccc472e4d4d04c9911853d17e27272c6c389e9bea6c01debcdd7
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
1.4MB
MD59c0595fe4367e61e2e578ef6fa5e3d0f
SHA199a64947b86b69e2dda873076e18433a63338729
SHA25660591d011a090da281ada86b6b9d505e7faa491ce23304b74f7e243a973d5714
SHA512898712fa3192ccdfbb0346119357bada0839d58d095c18099ac839778b10eb13372618bf0ad0187b4a4526f95a6058bb5bbcd137046bbfb7ef19c60fa0417c85
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
1020KB
-
Filesize
4KB
-
Filesize
3.8MB