Analysis

  • max time kernel
    137s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 08:49

General

  • Target

    0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe

  • Size

    266KB

  • MD5

    0478bbd07527cc07911a77377a09cdac

  • SHA1

    c6205bbc0f7c653109caaf88736e5b824111a4e7

  • SHA256

    4c145cbe75b48f1dee957d833654be2e2519ec52a78c39e298d153557c2a8eb8

  • SHA512

    034e3331b25b8f810c0bd4918e121c71cc9d8372095e1b96fbbb5b296f4614e9118faa0dff73d9f729e1f88fbd7bfd78f2da729b50905b86feaf83b40ede0998

  • SSDEEP

    6144:6mJQXShdasuHrrmv6c35rGfa5YZ+HTk/i6Dyp0QQApWJ:64QiTG05rGS5YZiTq+1Q5J

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies security service 2 TTPs 20 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 22 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\Temp\25565.exe
      C:\Windows\Temp\25565.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:2552
      • C:\Windows\SysWOW64\zonealarm.exe
        C:\Windows\system32\zonealarm.exe 504 "C:\Windows\Temp\25565.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
            PID:2380
          • C:\Windows\SysWOW64\zonealarm.exe
            C:\Windows\system32\zonealarm.exe 536 "C:\Windows\SysWOW64\zonealarm.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1556
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                6⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:2344
            • C:\Windows\SysWOW64\zonealarm.exe
              C:\Windows\system32\zonealarm.exe 540 "C:\Windows\SysWOW64\zonealarm.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1352
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1276
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  7⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:2704
              • C:\Windows\SysWOW64\zonealarm.exe
                C:\Windows\system32\zonealarm.exe 544 "C:\Windows\SysWOW64\zonealarm.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2516
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    8⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:3036
                • C:\Windows\SysWOW64\zonealarm.exe
                  C:\Windows\system32\zonealarm.exe 548 "C:\Windows\SysWOW64\zonealarm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2084
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    8⤵
                      PID:2080
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        9⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:1972
                    • C:\Windows\SysWOW64\zonealarm.exe
                      C:\Windows\system32\zonealarm.exe 552 "C:\Windows\SysWOW64\zonealarm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      PID:3028
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        9⤵
                          PID:2852
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            10⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:2732
                        • C:\Windows\SysWOW64\zonealarm.exe
                          C:\Windows\system32\zonealarm.exe 556 "C:\Windows\SysWOW64\zonealarm.exe"
                          9⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          PID:1928
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c c:\a.bat
                            10⤵
                              PID:2828
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                11⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:580
                            • C:\Windows\SysWOW64\zonealarm.exe
                              C:\Windows\system32\zonealarm.exe 532 "C:\Windows\SysWOW64\zonealarm.exe"
                              10⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              PID:1248
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c c:\a.bat
                                11⤵
                                  PID:2304
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    12⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:1800
                                • C:\Windows\SysWOW64\zonealarm.exe
                                  C:\Windows\system32\zonealarm.exe 564 "C:\Windows\SysWOW64\zonealarm.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  PID:2232
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c c:\a.bat
                                    12⤵
                                      PID:2760
                                      • C:\Windows\SysWOW64\regedit.exe
                                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                        13⤵
                                        • Modifies security service
                                        • Runs .reg file with regedit
                                        PID:868
                                    • C:\Windows\SysWOW64\zonealarm.exe
                                      C:\Windows\system32\zonealarm.exe 528 "C:\Windows\SysWOW64\zonealarm.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      PID:2292
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c c:\a.bat
                                        13⤵
                                          PID:2044
                                          • C:\Windows\SysWOW64\regedit.exe
                                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                            14⤵
                                            • Modifies security service
                                            • Runs .reg file with regedit
                                            PID:1508

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Persistence

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Privilege Escalation

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Defense Evasion

                Modify Registry

                1
                T1112

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  384B

                  MD5

                  c93c561465db53bf9a99759de9d25f07

                  SHA1

                  5386934828e2c2589bfe394ac1f03ffbfba93bfa

                  SHA256

                  32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

                  SHA512

                  bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  3KB

                  MD5

                  9e5db93bd3302c217b15561d8f1e299d

                  SHA1

                  95a5579b336d16213909beda75589fd0a2091f30

                  SHA256

                  f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

                  SHA512

                  b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  1011B

                  MD5

                  5088b4be1b90717121e76c1fc33c033a

                  SHA1

                  090676b012c30e6b0d6493ca1e9a31f3093cad6f

                  SHA256

                  d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a

                  SHA512

                  0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  1KB

                  MD5

                  584f47a0068747b3295751a0d591f4ee

                  SHA1

                  7886a90e507c56d3a6105ecdfd9ff77939afa56f

                  SHA256

                  927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

                  SHA512

                  ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  298B

                  MD5

                  4117e5a9c995bab9cd3bce3fc2b99a46

                  SHA1

                  80144ccbad81c2efb1df64e13d3d5f59ca4486da

                  SHA256

                  37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

                  SHA512

                  bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  1KB

                  MD5

                  f31b2aa720a1c523c1e36a40ef21ee0d

                  SHA1

                  9c8089896c55e6e6a9cca99b1b98c544723d314e

                  SHA256

                  cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716

                  SHA512

                  a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  849B

                  MD5

                  558ce6da965ba1758d112b22e15aa5a2

                  SHA1

                  a365542609e4d1dc46be62928b08612fcabe2ede

                  SHA256

                  c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

                  SHA512

                  37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  1KB

                  MD5

                  47985593a44ee38c64665b04cbd4b84c

                  SHA1

                  84900c2b2e116a7b744730733f63f2a38b4eb76e

                  SHA256

                  4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

                  SHA512

                  abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  3KB

                  MD5

                  ffbb389d817acf25cc38799c239d512c

                  SHA1

                  8b4854ed9e257c3da9ec11d0f145805c6ae6193f

                  SHA256

                  f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39

                  SHA512

                  382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

                • C:\Users\Admin\AppData\Local\Temp\1.reg
                  Filesize

                  1KB

                  MD5

                  bf7ee07851e04b2a0dbe554db62dc3aa

                  SHA1

                  cad155b66053cd7ce2b969a0eb20a8f4812b1f46

                  SHA256

                  13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9

                  SHA512

                  9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

                • C:\Windows\Temp\25565.exe
                  Filesize

                  250KB

                  MD5

                  dd18a6628a119b8695cef08da6c10b48

                  SHA1

                  d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc

                  SHA256

                  cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09

                  SHA512

                  fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23

                • C:\a.bat
                  Filesize

                  5KB

                  MD5

                  0019a0451cc6b9659762c3e274bc04fb

                  SHA1

                  5259e256cc0908f2846e532161b989f1295f479b

                  SHA256

                  ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

                  SHA512

                  314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904