Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 11:15
General
-
Target
ff27a4ed5c37e9bbeaf94cc15ed5fbe2_JaffaCakes118.exe
-
Size
168KB
-
MD5
ff27a4ed5c37e9bbeaf94cc15ed5fbe2
-
SHA1
5678d6b8ecb7661e8e5c1a3a2c4d209c3d7a3c1c
-
SHA256
a42d3b58c510be1f7a3cab1c72ec2482f462a71cb402ed4e1d2ab1ee5e448cf2
-
SHA512
a2d85ae8667f267757fab1a0d2e51151a35fcf2f1308df6c5661846fa933e4d82238fa86403441e1b6857111b177e3f87354875a45a2d28a91a7f59c978d407b
-
SSDEEP
3072:kwHbG1J8ZFgf+t5aoO28lXUKaYP6AGK8nsQqlrlgq8OMKZgC2lCDkVDclqL1Xc:B7HZFgfX2GXeYCAGZsBJjrZ8lwTlkXc
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 29 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 45 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff27a4ed5c37e9bbeaf94cc15ed5fbe2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff27a4ed5c37e9bbeaf94cc15ed5fbe2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ff27a4ed5c37e9bbeaf94cc15ed5fbe2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff27a4ed5c37e9bbeaf94cc15ed5fbe2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\FF27A4~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\FF27A4~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\igfxwk32.exeFilesize
168KB
MD5ff27a4ed5c37e9bbeaf94cc15ed5fbe2
SHA15678d6b8ecb7661e8e5c1a3a2c4d209c3d7a3c1c
SHA256a42d3b58c510be1f7a3cab1c72ec2482f462a71cb402ed4e1d2ab1ee5e448cf2
SHA512a2d85ae8667f267757fab1a0d2e51151a35fcf2f1308df6c5661846fa933e4d82238fa86403441e1b6857111b177e3f87354875a45a2d28a91a7f59c978d407b
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/468-65-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/468-63-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/516-111-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/516-109-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1428-131-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1428-127-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1868-72-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1868-75-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2244-146-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2244-148-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2244-152-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2380-158-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2380-162-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2808-120-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2808-117-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2864-137-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2864-141-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3448-92-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3448-90-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3492-82-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3492-84-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3832-3-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3832-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3832-38-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3832-4-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3832-2-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4192-55-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4192-54-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4364-167-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4364-172-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4588-99-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4588-102-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4848-47-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4848-45-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB