Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 11:45
Behavioral task
behavioral1
Sample
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
-
Size
77KB
-
MD5
fa39f0ee34d558d972ab192901c9ca62
-
SHA1
6a742c21728ecad9781e465034f0653889a1e9ad
-
SHA256
bf89dae393e83aaa42efbbb88417bd9aaa7bbcfc47dd564e9367aa2db0822a03
-
SHA512
cbd89ff63756d3e46e8190968f0b2a5bbc25ae4d616857135b1e860c1c46fbdeec696257f6392fe95dedb3db468c5964b70d3d28e02d3bbf5eeffc744f1dd691
-
SSDEEP
1536:GCesb1DS6HUTn5Dof9VOQA1/TOfXRN6dZBbM+eqRPj57FulH:GkogW58f9V01qf/4deqR71FulH
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\ymic.exe" fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1512 ymic.exe 2596 ymic.exe -
resource yara_rule behavioral1/memory/1720-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/1720-15-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/files/0x000900000001447e-24.dat upx behavioral1/memory/1512-29-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/1512-48-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\ymic.exe" fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1720 set thread context of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1512 set thread context of 2596 1512 ymic.exe 30 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ymic.exe fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe File opened for modification C:\Windows\ymic.exe fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe File created C:\Windows\logfile32.txt ymic.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 2596 ymic.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe Token: SeDebugPrivilege 2596 ymic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 1512 ymic.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 28 PID 2192 wrote to memory of 1512 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1512 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1512 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1512 2192 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 29 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30 PID 1512 wrote to memory of 2596 1512 ymic.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\ymic.exe"C:\Windows\ymic.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\ymic.exeC:\Windows\ymic.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5fa39f0ee34d558d972ab192901c9ca62
SHA16a742c21728ecad9781e465034f0653889a1e9ad
SHA256bf89dae393e83aaa42efbbb88417bd9aaa7bbcfc47dd564e9367aa2db0822a03
SHA512cbd89ff63756d3e46e8190968f0b2a5bbc25ae4d616857135b1e860c1c46fbdeec696257f6392fe95dedb3db468c5964b70d3d28e02d3bbf5eeffc744f1dd691