Analysis Overview
SHA256
bd4911750933a3344cd3f2da725cf0f5fcf8e3f8d3e81202955704df5e24329b
Threat Level: Known bad
The file 0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Metasploit family
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 06:02
Signatures
Metasploit family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 06:02
Reported
2024-06-20 06:04
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1972 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1972 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1972 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 276
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 06:02
Reported
2024-06-20 06:04
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4048 -ip 4048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 544