Analysis
-
max time kernel
140s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe
-
Size
200KB
-
MD5
0489ae244839c04f3b730e7a3db135ef
-
SHA1
66f54b5ec27a2623a3674e4391d5b3aee286db0c
-
SHA256
b8796b91c089d9487a2969ff3675cfed0565820bfe1fd20e529c2c474e0b550d
-
SHA512
c6a929a33dbc1909492a6e1c88b39ade1750a67da9fe5c05884788123854249e2303a2be9469d454fc2910be608e0114879a9ab881549769245e64e9e7ee3537
-
SSDEEP
3072:hysVrUWgthnnnnnDY1GFIkgs7sH2g1Uj4q11FcffKv4iNuMSGFkpOe:/z2bosFj2fyv4nMSl
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
igfxcn86.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications igfxcn86.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcn86.exe = "C:\\Windows\\SysWOW64\\igfxcn86.exe:*:Enabled:Intel Network Service" igfxcn86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List igfxcn86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile igfxcn86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications igfxcn86.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcn86.exe = "C:\\Windows\\SysWOW64\\igfxcn86.exe:*:Enabled:Intel Network Service" igfxcn86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List igfxcn86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile igfxcn86.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
igfxcn86.exepid process 4996 igfxcn86.exe -
Executes dropped EXE 2 IoCs
Processes:
igfxcn86.exeigfxcn86.exepid process 2928 igfxcn86.exe 4996 igfxcn86.exe -
Processes:
resource yara_rule behavioral2/memory/4912-0-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4912-2-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4912-4-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4912-3-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4996-40-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/4996-44-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/4912-45-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4996-47-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4996-48-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
igfxcn86.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Network Service = "C:\\Windows\\SysWOW64\\igfxcn86.exe" igfxcn86.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exeigfxcn86.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxcn86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxcn86.exe -
Drops file in System32 directory 4 IoCs
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exeigfxcn86.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxcn86.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxcn86.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxcn86.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exeigfxcn86.exedescription pid process target process PID 2972 set thread context of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2928 set thread context of 4996 2928 igfxcn86.exe igfxcn86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exeigfxcn86.exepid process 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 4996 igfxcn86.exe 4996 igfxcn86.exe 4996 igfxcn86.exe 4996 igfxcn86.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exeigfxcn86.exeigfxcn86.exedescription pid process target process PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 2972 wrote to memory of 4912 2972 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe PID 4912 wrote to memory of 2928 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe igfxcn86.exe PID 4912 wrote to memory of 2928 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe igfxcn86.exe PID 4912 wrote to memory of 2928 4912 0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 2928 wrote to memory of 4996 2928 igfxcn86.exe igfxcn86.exe PID 4996 wrote to memory of 3540 4996 igfxcn86.exe Explorer.EXE PID 4996 wrote to memory of 3540 4996 igfxcn86.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0489ae244839c04f3b730e7a3db135ef_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxcn86.exe"C:\Windows\SysWOW64\igfxcn86.exe" C:\Users\Admin\AppData\Local\Temp\0489AE~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxcn86.exe"C:\Windows\SysWOW64\igfxcn86.exe" C:\Users\Admin\AppData\Local\Temp\0489AE~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\igfxcn86.exeFilesize
200KB
MD50489ae244839c04f3b730e7a3db135ef
SHA166f54b5ec27a2623a3674e4391d5b3aee286db0c
SHA256b8796b91c089d9487a2969ff3675cfed0565820bfe1fd20e529c2c474e0b550d
SHA512c6a929a33dbc1909492a6e1c88b39ade1750a67da9fe5c05884788123854249e2303a2be9469d454fc2910be608e0114879a9ab881549769245e64e9e7ee3537
-
memory/4912-0-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4912-2-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4912-4-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4912-3-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4912-45-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4996-40-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4996-44-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4996-47-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4996-48-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB