Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 11:45
Behavioral task
behavioral1
Sample
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe
-
Size
77KB
-
MD5
fa39f0ee34d558d972ab192901c9ca62
-
SHA1
6a742c21728ecad9781e465034f0653889a1e9ad
-
SHA256
bf89dae393e83aaa42efbbb88417bd9aaa7bbcfc47dd564e9367aa2db0822a03
-
SHA512
cbd89ff63756d3e46e8190968f0b2a5bbc25ae4d616857135b1e860c1c46fbdeec696257f6392fe95dedb3db468c5964b70d3d28e02d3bbf5eeffc744f1dd691
-
SSDEEP
1536:GCesb1DS6HUTn5Dof9VOQA1/TOfXRN6dZBbM+eqRPj57FulH:GkogW58f9V01qf/4deqR71FulH
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\ymic.exe" fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1968 ymic.exe 4008 ymic.exe -
resource yara_rule behavioral2/memory/856-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/856-6-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/files/0x00090000000233b5-12.dat upx behavioral2/memory/1968-14-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1968-24-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\ymic.exe" fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 856 set thread context of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 1968 set thread context of 4008 1968 ymic.exe 92 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ymic.exe fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe File opened for modification C:\Windows\ymic.exe fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe File created C:\Windows\logfile32.txt ymic.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 4008 ymic.exe 4008 ymic.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe Token: SeDebugPrivilege 4008 ymic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 1968 ymic.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 856 wrote to memory of 5104 856 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 89 PID 5104 wrote to memory of 1968 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 90 PID 5104 wrote to memory of 1968 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 90 PID 5104 wrote to memory of 1968 5104 fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe 90 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92 PID 1968 wrote to memory of 4008 1968 ymic.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fa39f0ee34d558d972ab192901c9ca62_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\ymic.exe"C:\Windows\ymic.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\ymic.exeC:\Windows\ymic.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5fa39f0ee34d558d972ab192901c9ca62
SHA16a742c21728ecad9781e465034f0653889a1e9ad
SHA256bf89dae393e83aaa42efbbb88417bd9aaa7bbcfc47dd564e9367aa2db0822a03
SHA512cbd89ff63756d3e46e8190968f0b2a5bbc25ae4d616857135b1e860c1c46fbdeec696257f6392fe95dedb3db468c5964b70d3d28e02d3bbf5eeffc744f1dd691