Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 07:30

General

  • Target

    040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe

  • Size

    115KB

  • MD5

    040b4afe44ae7bb9ebe08445c2bed93a

  • SHA1

    9e4ed8f203c42ee51432b61c45b8d53eb939c2b0

  • SHA256

    1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198

  • SHA512

    a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205

  • SSDEEP

    1536:+qoBQ+Utg3KQ0wxuWz00gzbqOMxpYb2f1AE39/UIf0E1+AQcyQ7u29qkbGNkjbQ2:+q6cmxu9QYgptQE1z9RykjbnKVn5+

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies security service 2 TTPs 20 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:2212
    • C:\Windows\SysWOW64\windeft.exe
      C:\Windows\system32\windeft.exe 1048 "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
          PID:2700
        • C:\Windows\SysWOW64\windeft.exe
          C:\Windows\system32\windeft.exe 1172 "C:\Windows\SysWOW64\windeft.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              5⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:4864
          • C:\Windows\SysWOW64\windeft.exe
            C:\Windows\system32\windeft.exe 1140 "C:\Windows\SysWOW64\windeft.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4440
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                6⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:3312
            • C:\Windows\SysWOW64\windeft.exe
              C:\Windows\system32\windeft.exe 1148 "C:\Windows\SysWOW64\windeft.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2916
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4320
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  7⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:556
              • C:\Windows\SysWOW64\windeft.exe
                C:\Windows\system32\windeft.exe 1144 "C:\Windows\SysWOW64\windeft.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:1264
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4128
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    8⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:3312
                • C:\Windows\SysWOW64\windeft.exe
                  C:\Windows\system32\windeft.exe 1152 "C:\Windows\SysWOW64\windeft.exe"
                  7⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2352
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1508
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      9⤵
                      • Modifies security service
                      • Runs .reg file with regedit
                      PID:4736
                  • C:\Windows\SysWOW64\windeft.exe
                    C:\Windows\system32\windeft.exe 1156 "C:\Windows\SysWOW64\windeft.exe"
                    8⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:1100
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c c:\a.bat
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2984
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        10⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:5068
                    • C:\Windows\SysWOW64\windeft.exe
                      C:\Windows\system32\windeft.exe 1164 "C:\Windows\SysWOW64\windeft.exe"
                      9⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:2896
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        10⤵
                          PID:1188
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            11⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:2824
                        • C:\Windows\SysWOW64\windeft.exe
                          C:\Windows\system32\windeft.exe 1168 "C:\Windows\SysWOW64\windeft.exe"
                          10⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:1072
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c c:\a.bat
                            11⤵
                              PID:2212
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                12⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:4320
                            • C:\Windows\SysWOW64\windeft.exe
                              C:\Windows\system32\windeft.exe 1160 "C:\Windows\SysWOW64\windeft.exe"
                              11⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:3792
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c c:\a.bat
                                12⤵
                                  PID:436
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:2984

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Modify Registry

          1
          T1112

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            3KB

            MD5

            872656500ddac1ddd91d10aba3a8df96

            SHA1

            ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

            SHA256

            d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

            SHA512

            e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            3KB

            MD5

            5e073629d751540b3512a229a7c56baf

            SHA1

            8d384f06bf3fe00d178514990ae39fc54d4e3941

            SHA256

            2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

            SHA512

            84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            3KB

            MD5

            9e5db93bd3302c217b15561d8f1e299d

            SHA1

            95a5579b336d16213909beda75589fd0a2091f30

            SHA256

            f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

            SHA512

            b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            2b307765b7465ef5e4935f0ed7307c01

            SHA1

            c46a1947f8b2785114891f7905f663d9ae517f1b

            SHA256

            a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85

            SHA512

            fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            2KB

            MD5

            5da7efcc8d0fcdf2bad7890c3f8a27ca

            SHA1

            681788d5a3044eee8426d431bd786375cd32bf13

            SHA256

            7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

            SHA512

            6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            431B

            MD5

            9fa547ff360b09f7e093593af0b5a13b

            SHA1

            9debc99bb7450f59a7b09f16c0393e5c7a955ba4

            SHA256

            7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

            SHA512

            30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            5002319f56002f8d7ceacecf8672ce25

            SHA1

            3b26b6801be4768cc7582e29bc93facdf2a74be3

            SHA256

            f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

            SHA512

            8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            c1e5f93e2bee9ca33872764d8889de23

            SHA1

            167f65adfc34a0e47cb7de92cc5958ee8905796a

            SHA256

            8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

            SHA512

            482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            784B

            MD5

            5a466127fedf6dbcd99adc917bd74581

            SHA1

            a2e60b101c8789b59360d95a64ec07d0723c4d38

            SHA256

            8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

            SHA512

            695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            908860a865f8ed2e14085e35256578dd

            SHA1

            7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

            SHA256

            d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

            SHA512

            a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            748bce4dacebbbd388af154a1df22078

            SHA1

            0eeeb108678f819cd437d53b927feedf36aabc64

            SHA256

            1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

            SHA512

            d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            849B

            MD5

            558ce6da965ba1758d112b22e15aa5a2

            SHA1

            a365542609e4d1dc46be62928b08612fcabe2ede

            SHA256

            c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

            SHA512

            37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            a57e37dfb6f88b2d04424936ed0b4afb

            SHA1

            35e2f81486b8420b88b7693ad3e92f846367cb12

            SHA256

            411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d

            SHA512

            41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            3KB

            MD5

            c8441ec8a2edf9b2f4f631fe930ea4d9

            SHA1

            2855ee21116b427d280fcaa2471c9bd3d2957f6f

            SHA256

            dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

            SHA512

            b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

          • C:\Windows\SysWOW64\windeft.exe
            Filesize

            115KB

            MD5

            040b4afe44ae7bb9ebe08445c2bed93a

            SHA1

            9e4ed8f203c42ee51432b61c45b8d53eb939c2b0

            SHA256

            1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198

            SHA512

            a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205

          • \??\c:\a.bat
            Filesize

            5KB

            MD5

            0019a0451cc6b9659762c3e274bc04fb

            SHA1

            5259e256cc0908f2846e532161b989f1295f479b

            SHA256

            ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

            SHA512

            314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

          • memory/1072-1057-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1072-946-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1072-943-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1072-944-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1100-711-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1100-825-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1264-593-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1264-479-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1412-131-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1412-132-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1412-245-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1412-133-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1636-248-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1636-249-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1636-361-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/1636-247-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2352-595-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2352-709-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2896-828-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2896-941-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2896-827-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2896-829-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2916-365-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2916-363-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2916-364-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/2916-477-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3396-32-0x0000000000670000-0x0000000000671000-memory.dmp
            Filesize

            4KB

          • memory/3396-13-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3396-129-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3396-12-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3396-31-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3792-1060-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3792-1061-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3792-1059-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/3792-1173-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/4876-0-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/4876-5-0x00000000006B0000-0x00000000006B1000-memory.dmp
            Filesize

            4KB

          • memory/4876-2-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/4876-1-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB

          • memory/4876-127-0x0000000000400000-0x000000000053DAFB-memory.dmp
            Filesize

            1.2MB