Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe
-
Size
56KB
-
MD5
0492db9a8d2d844d5cfe3cac7c082dce
-
SHA1
22d82ce280f0001151838dc3d1b2f8610f8d6405
-
SHA256
c9392527cebc3bdd8b1242996ecef59d5812b46e4e1f18dd1402a4bb5d86afcc
-
SHA512
348be577d0362d97bd3c728261dc8d8e88d87cc7946de255c43c6fc0e7dd7bf1a07271b29d80b31220f239c88aaaf2548e2b4efb362fcef1bfb2f0146c32cebc
-
SSDEEP
1536:uIoXVZz1nIOWaaY0QfRL3E4K+FhBn1clMNGVq121EigNkUtkSCg:4ijVoagdN
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
csrss.execsrss.exepid process 2924 csrss.exe 2264 csrss.exe -
Processes:
resource yara_rule behavioral1/memory/2456-11-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-13-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-14-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-12-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-3-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-2-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-5-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2456-31-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-50-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-51-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-52-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-55-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-58-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-61-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2264-64-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Data Serivce = "csrss.exe" 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.execsrss.exedescription pid process target process PID 2228 set thread context of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2924 set thread context of 2264 2924 csrss.exe csrss.exe -
Drops file in Windows directory 2 IoCs
Processes:
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exedescription ioc process File created C:\Windows\csrss.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe File opened for modification C:\Windows\csrss.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.execmd.exenet.execsrss.exedescription pid process target process PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2228 wrote to memory of 2456 2228 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe PID 2456 wrote to memory of 2732 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe cmd.exe PID 2456 wrote to memory of 2732 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe cmd.exe PID 2456 wrote to memory of 2732 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe cmd.exe PID 2456 wrote to memory of 2732 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe cmd.exe PID 2456 wrote to memory of 2924 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe csrss.exe PID 2456 wrote to memory of 2924 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe csrss.exe PID 2456 wrote to memory of 2924 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe csrss.exe PID 2456 wrote to memory of 2924 2456 0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe csrss.exe PID 2732 wrote to memory of 2912 2732 cmd.exe net.exe PID 2732 wrote to memory of 2912 2732 cmd.exe net.exe PID 2732 wrote to memory of 2912 2732 cmd.exe net.exe PID 2732 wrote to memory of 2912 2732 cmd.exe net.exe PID 2912 wrote to memory of 2756 2912 net.exe net1.exe PID 2912 wrote to memory of 2756 2912 net.exe net1.exe PID 2912 wrote to memory of 2756 2912 net.exe net1.exe PID 2912 wrote to memory of 2756 2912 net.exe net1.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe PID 2924 wrote to memory of 2264 2924 csrss.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\x.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵
-
C:\Windows\csrss.exe"C:\Windows\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\csrss.exe"C:\Windows\csrss.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\csrss.exeFilesize
56KB
MD50492db9a8d2d844d5cfe3cac7c082dce
SHA122d82ce280f0001151838dc3d1b2f8610f8d6405
SHA256c9392527cebc3bdd8b1242996ecef59d5812b46e4e1f18dd1402a4bb5d86afcc
SHA512348be577d0362d97bd3c728261dc8d8e88d87cc7946de255c43c6fc0e7dd7bf1a07271b29d80b31220f239c88aaaf2548e2b4efb362fcef1bfb2f0146c32cebc
-
C:\x.batFilesize
53B
MD5e6ed7be2b9572503f07663ca6e53759f
SHA17ad80bd38f2a27e06c111b551c76ad0a0585c194
SHA256b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9
SHA512e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227
-
memory/2228-10-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2264-51-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-50-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-64-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-61-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-58-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-55-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2264-52-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-5-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-13-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-31-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-14-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-11-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-0-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-3-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2456-12-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2456-2-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2924-44-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB