Behavioral task
behavioral1
Sample
0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118
-
Size
123KB
-
MD5
0374ebf6e04c5de854f80931ab5ef847
-
SHA1
0fa699327017f5c8047343fd61f4b6f7366e59d7
-
SHA256
bd4911750933a3344cd3f2da725cf0f5fcf8e3f8d3e81202955704df5e24329b
-
SHA512
709ae788698f8c20246d161ace5d0de090b89320ae0e372f85cca8cbc01b2d0c31e9dfcf78bb108e012a59d2c4aa7a69bbb1482054b5e883d2390555be0d491e
-
SSDEEP
3072:qtty8ZSsyYsiSSzopsS/khwKbNSBYoKJp:qG8ZSsDsiBztHvbYG9p
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
Metasploit family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118
Files
-
0374ebf6e04c5de854f80931ab5ef847_JaffaCakes118.exe windows:4 windows x86 arch:x86
470bfb4819df57032ed8bc9363171f3f
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
GetFileSize
GetTempPathA
GetComputerNameA
GetSystemDirectoryA
GetVersionExA
GetDiskFreeSpaceExA
GlobalMemoryStatus
OpenProcess
WriteProcessMemory
GetCurrentProcessId
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
CreateThread
QueryPerformanceFrequency
QueryPerformanceCounter
LoadLibraryA
VirtualProtectEx
FreeLibrary
IsBadReadPtr
TerminateProcess
CreateProcessA
TerminateThread
GetModuleFileNameA
ReadFile
SetFilePointer
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
ReadProcessMemory
GetWindowsDirectoryA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CopyFileA
GetDriveTypeA
GetLogicalDriveStringsA
GlobalUnlock
GlobalLock
LocalFree
DeleteFileA
GetDateFormatA
GetTimeFormatA
OutputDebugStringA
GetStdHandle
SetProcessWorkingSetSize
SetConsoleTextAttribute
CreateMutexA
GetLastError
CreateFileA
CloseHandle
GetModuleHandleA
GetProcAddress
ExitProcess
GetTickCount
GetLocaleInfoA
Sleep
GetCurrentProcess
LoadLibraryExA
user32
CloseClipboard
GetActiveWindow
SetWindowsHookExA
GetMessageA
SetKeyboardState
DispatchMessageA
OpenClipboard
GetClipboardData
UnhookWindowsHookEx
ExitWindowsEx
GetWindowTextA
GetKeyNameTextA
GetKeyboardState
GetKeyboardLayout
ToAsciiEx
CallNextHookEx
MessageBoxA
advapi32
RegSetValueExA
RegisterServiceCtrlHandlerA
SetServiceStatus
GetUserNameA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegQueryValueExA
RegOpenKeyExA
RegEnumValueA
StartServiceCtrlDispatcherA
msvcrt
_onexit
??1type_info@@UAE@XZ
_EH_prolog
__CxxFrameHandler
??3@YAXPAX@Z
sprintf
??2@YAPAXI@Z
_stricmp
sscanf
malloc
fseek
fread
fwrite
printf
fopen
fprintf
_CxxThrowException
free
__dllonexit
strlen
_snprintf
memset
strncpy
strncat
_vsnprintf
memcpy
toupper
islower
rand
srand
atol
system
atoi
strstr
strcmp
strtok
memcmp
fclose
netapi32
NetShareDel
psapi
EnumProcesses
EnumProcessModules
GetModuleBaseNameA
shell32
ShellExecuteA
wininet
InternetGetConnectedStateEx
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
ws2_32
gethostname
gethostbyaddr
inet_addr
getsockname
ntohs
WSAIoctl
bind
WSASocketA
accept
listen
getpeername
inet_ntoa
select
ioctlsocket
htonl
setsockopt
WSACloseEvent
htons
socket
connect
recv
send
WSAStartup
WSACleanup
shutdown
__WSAFDIsSet
closesocket
gethostbyname
oleaut32
GetErrorInfo
Sections
.data Size: 114KB - Virtual size: 113KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.CRT Size: 512B - Virtual size: 4B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 7KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ