Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 09:05

General

  • Target

    0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe

  • Size

    56KB

  • MD5

    0492db9a8d2d844d5cfe3cac7c082dce

  • SHA1

    22d82ce280f0001151838dc3d1b2f8610f8d6405

  • SHA256

    c9392527cebc3bdd8b1242996ecef59d5812b46e4e1f18dd1402a4bb5d86afcc

  • SHA512

    348be577d0362d97bd3c728261dc8d8e88d87cc7946de255c43c6fc0e7dd7bf1a07271b29d80b31220f239c88aaaf2548e2b4efb362fcef1bfb2f0146c32cebc

  • SSDEEP

    1536:uIoXVZz1nIOWaaY0QfRL3E4K+FhBn1clMNGVq121EigNkUtkSCg:4ijVoagdN

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0492db9a8d2d844d5cfe3cac7c082dce_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\x.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\SysWOW64\net.exe
          net stop "Security Center"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
              PID:2756
        • C:\Windows\csrss.exe
          "C:\Windows\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\csrss.exe
            "C:\Windows\csrss.exe"
            4⤵
            • Executes dropped EXE
            PID:2264

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\csrss.exe
      Filesize

      56KB

      MD5

      0492db9a8d2d844d5cfe3cac7c082dce

      SHA1

      22d82ce280f0001151838dc3d1b2f8610f8d6405

      SHA256

      c9392527cebc3bdd8b1242996ecef59d5812b46e4e1f18dd1402a4bb5d86afcc

      SHA512

      348be577d0362d97bd3c728261dc8d8e88d87cc7946de255c43c6fc0e7dd7bf1a07271b29d80b31220f239c88aaaf2548e2b4efb362fcef1bfb2f0146c32cebc

    • C:\x.bat
      Filesize

      53B

      MD5

      e6ed7be2b9572503f07663ca6e53759f

      SHA1

      7ad80bd38f2a27e06c111b551c76ad0a0585c194

      SHA256

      b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9

      SHA512

      e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227

    • memory/2228-10-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

    • memory/2264-51-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-50-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-64-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-61-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-58-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-55-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2264-52-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-5-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-13-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-31-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-14-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-11-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-0-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-3-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

    • memory/2456-12-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2456-2-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/2924-44-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB