Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 00:43
Behavioral task
behavioral1
Sample
0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe
-
Size
120KB
-
MD5
0d0320878946a73749111e6c94bf1525
-
SHA1
1e9b5c685640df11659aea7748d9bf3df70aadcf
-
SHA256
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa
-
SHA512
fc695dd905213d7b623d33d2fa9302399897970f3b8705182fa50e771dad13dac5d5d302a508cdc4f3fdb37122999f2d492188667b92050fe49a29abff53a8b1
-
SSDEEP
3072:UXRbYXL8o0Quhon01KRTjKB4phUQbAnL0e2gF7wUg4GR:UXl6LcheTW+bZbwphOr
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
thinprobe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation thinprobe.exe -
Deletes itself 1 IoCs
Processes:
thinprobe.exepid process 4572 thinprobe.exe -
Executes dropped EXE 3 IoCs
Processes:
thinprobe.exethinprobe.exethinprobe.exepid process 4572 thinprobe.exe 4464 thinprobe.exe 440 thinprobe.exe -
Loads dropped DLL 3 IoCs
Processes:
thinprobe.exethinprobe.exethinprobe.exepid process 4572 thinprobe.exe 4464 thinprobe.exe 440 thinprobe.exe -
Drops file in Windows directory 1 IoCs
Processes:
thinprobe.exedescription ioc process File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe 4404 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
thinprobe.exethinprobe.exedescription pid process Token: SeDebugPrivilege 4572 thinprobe.exe Token: SeDebugPrivilege 440 thinprobe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0d0320878946a73749111e6c94bf1525_JaffaCakes118.exethinprobe.exethinprobe.exedescription pid process target process PID 3368 wrote to memory of 4572 3368 0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe thinprobe.exe PID 3368 wrote to memory of 4572 3368 0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe thinprobe.exe PID 3368 wrote to memory of 4572 3368 0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe thinprobe.exe PID 4572 wrote to memory of 4464 4572 thinprobe.exe thinprobe.exe PID 4572 wrote to memory of 4464 4572 thinprobe.exe thinprobe.exe PID 4572 wrote to memory of 4464 4572 thinprobe.exe thinprobe.exe PID 440 wrote to memory of 4404 440 thinprobe.exe svchost.exe PID 440 wrote to memory of 4404 440 thinprobe.exe svchost.exe PID 440 wrote to memory of 4404 440 thinprobe.exe svchost.exe PID 440 wrote to memory of 4404 440 thinprobe.exe svchost.exe PID 440 wrote to memory of 4404 440 thinprobe.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exeC:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exe2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\pcawhere\thinprobe.exe"C:\Windows\pcawhere\thinprobe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464
-
C:\Windows\pcawhere\thinprobe.exeC:\Windows\pcawhere\thinprobe.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\svchost.exe-daemon2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7z76676D28\ThinHostProbedll.dllFilesize
42KB
MD5bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exeFilesize
69KB
MD565e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thumb.dbFilesize
51KB
MD5fe185cb4315658e561fd789181dfd1f3
SHA1dc6468dd9ab1c73210990c55cca82111ed21e00d
SHA256eb9f6f3fb6b70d1f49c1c92442a0f96e7583e757b035cb4343767cf9382eb354
SHA51288347235e77553c976d5d45278d8d51d15815523fc57be73d21b6676ea9f296d16d6c96b6f81f1e3900c373717c589fa3c510ef8f6e33df72ea32ef036687382
-
C:\Windows\pcawhere\config.iniFilesize
49B
MD51163d48321d9f9c9dcca133aa32bb53f
SHA1768f039bab4f30b15571422cd839cf8e96ee4b1b
SHA2560a30ad4a1e8e0c289db205b9d805dd40d68428c03cee5df67bb5eff41cd25ba5
SHA512bd21e4bd4586b44f723dd12e31d535154263091faccbcc84f309f0021d5cef0c2138d3a385310c093917b0bde7de9e9f48dbecf9ece33d2c2a28ce32bcdd3bab
-
memory/440-35-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB
-
memory/440-47-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB
-
memory/440-40-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3368-20-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4404-41-0x0000000001100000-0x000000000110D000-memory.dmpFilesize
52KB
-
memory/4464-48-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB
-
memory/4464-26-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB
-
memory/4464-32-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4572-13-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/4572-25-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB
-
memory/4572-17-0x0000000000402000-0x0000000000403000-memory.dmpFilesize
4KB
-
memory/4572-18-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4572-11-0x0000000075260000-0x000000007526D000-memory.dmpFilesize
52KB