Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-04-2024 06:04
General
-
Target
fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe
-
Size
596KB
-
MD5
fc1707fcb742d93bf0f7808fb8d2e556
-
SHA1
c0ca459a87ec8a5257108876bc8e7acf42638126
-
SHA256
1d7cee63803dcd2695a0495e91a8a116cf57c2fcea60233ab15a3dc60d26bae1
-
SHA512
1d37de1f777adb7b3a3ce89fa165410178c3f125de53a24f7f622f128c0ac35d94133ff0b9932a11aa6203849b964799007a6a4ddf18608726062860d2747fd7
-
SSDEEP
6144:3f3KJtXH9d13vggfomhE2UfMxebJtgx+bqcmN9RZX5NQ3B7O:3mtNd1RQm6NKGJaxUAN5X5qx
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 18 IoCs
-
Loads dropped DLL 36 IoCs
-
Maps connected drives based on registry 3 TTPs 38 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 34 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc1707fcb742d93bf0f7808fb8d2e556_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Users\Admin\AppData\Local\Temp\FC1707~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wmpdf3.exe"C:\Windows\system32\wmpdf3.exe" C:\Windows\SysWOW64\wmpdf3.exe19⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpdf3.exeFilesize
596KB
MD5fc1707fcb742d93bf0f7808fb8d2e556
SHA1c0ca459a87ec8a5257108876bc8e7acf42638126
SHA2561d7cee63803dcd2695a0495e91a8a116cf57c2fcea60233ab15a3dc60d26bae1
SHA5121d37de1f777adb7b3a3ce89fa165410178c3f125de53a24f7f622f128c0ac35d94133ff0b9932a11aa6203849b964799007a6a4ddf18608726062860d2747fd7
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/676-80-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/676-75-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/676-74-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/832-64-0x0000000002E20000-0x0000000002EB5000-memory.dmpFilesize
596KB
-
memory/832-60-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/832-61-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/832-65-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/844-47-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/844-44-0x0000000002F40000-0x0000000002FD5000-memory.dmpFilesize
596KB
-
memory/844-41-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/876-67-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/876-73-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/876-68-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/932-59-0x00000000042A0000-0x0000000004335000-memory.dmpFilesize
596KB
-
memory/932-58-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/932-55-0x00000000042A0000-0x0000000004335000-memory.dmpFilesize
596KB
-
memory/932-53-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1640-35-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/1640-34-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1640-40-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1640-38-0x00000000042B0000-0x0000000004345000-memory.dmpFilesize
596KB
-
memory/1720-103-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/1720-108-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1788-87-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1788-92-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1828-98-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1828-91-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1828-93-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2056-81-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2056-86-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2056-79-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2256-104-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2256-97-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2256-102-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2288-158-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2288-120-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2288-118-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2316-110-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2316-115-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2316-113-0x0000000002F30000-0x0000000002FC5000-memory.dmpFilesize
596KB
-
memory/2316-145-0x0000000074D20000-0x0000000074D29000-memory.dmpFilesize
36KB
-
memory/2464-50-0x0000000004540000-0x00000000045D5000-memory.dmpFilesize
596KB
-
memory/2464-52-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2548-27-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2548-26-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2548-33-0x0000000004360000-0x00000000043F5000-memory.dmpFilesize
596KB
-
memory/2548-32-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2548-31-0x0000000004360000-0x00000000043F5000-memory.dmpFilesize
596KB
-
memory/2648-12-0x0000000002E60000-0x0000000002EF5000-memory.dmpFilesize
596KB
-
memory/2648-0-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2648-2-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2648-17-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2648-1-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2648-18-0x0000000002E60000-0x0000000002EF5000-memory.dmpFilesize
596KB
-
memory/2648-16-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2688-15-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2688-14-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2688-24-0x0000000002FA0000-0x0000000003035000-memory.dmpFilesize
596KB
-
memory/2688-25-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2820-157-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2820-159-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2820-161-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB