Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 10:47
Behavioral task
behavioral1
Sample
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
0546c61c6892d5d0752042eb83ea524a
-
SHA1
fc3d37d60fdf1bd7009bb7e2177cf1c1590a299f
-
SHA256
4b615ce3f39df0043bd0205acc6df51f89903de4db05a03b2ca9539164d4f022
-
SHA512
0c2712f5197d357b2ac395af33ffe9ad13382e1793f1e69cd1464df7c16c273523f72bd60f3675cbb7e8798b1d4d20e3a24ab5844a509e42f66a7300e26ed201
-
SSDEEP
24576:lYFj6xcDm02mlyldQ1V7C0K3lSZuI903kyelQbJyHoxCiwn1uHGPPCteP:GFj6x3mgdQ1V7kDX+Ow1BXgW
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 10 IoCs
Processes:
msrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 2948 msrx.exe 2716 msrx.exe 1648 msrx.exe 1976 msrx.exe 2244 msrx.exe 1912 msrx.exe 2936 msrx.exe 2784 msrx.exe 2836 msrx.exe 2744 msrx.exe -
Loads dropped DLL 20 IoCs
Processes:
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe 2948 msrx.exe 2948 msrx.exe 2716 msrx.exe 2716 msrx.exe 1648 msrx.exe 1648 msrx.exe 1976 msrx.exe 1976 msrx.exe 2244 msrx.exe 2244 msrx.exe 1912 msrx.exe 1912 msrx.exe 2936 msrx.exe 2936 msrx.exe 2784 msrx.exe 2784 msrx.exe 2836 msrx.exe 2836 msrx.exe -
Processes:
resource yara_rule \Windows\SysWOW64\msrx.exe themida behavioral1/memory/1632-24-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2948-27-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2948-29-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2948-30-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2948-31-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2948-35-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-38-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-37-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-39-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-40-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-41-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-42-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2716-46-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1648-48-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1648-52-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1976-53-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1976-57-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2244-58-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2244-62-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1912-63-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1912-67-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2936-68-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2936-74-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2784-77-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2784-81-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2836-82-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2836-86-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2744-87-0x0000000000400000-0x000000000075F000-memory.dmp themida -
Drops file in System32 directory 20 IoCs
Processes:
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exedescription ioc process File created C:\Windows\SysWOW64\msrx.exe 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msrx.exe 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe 2948 msrx.exe 2716 msrx.exe 1648 msrx.exe 1976 msrx.exe 2244 msrx.exe 1912 msrx.exe 2784 msrx.exe 2836 msrx.exe 2744 msrx.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exedescription pid process target process PID 1632 wrote to memory of 2948 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe msrx.exe PID 1632 wrote to memory of 2948 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe msrx.exe PID 1632 wrote to memory of 2948 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe msrx.exe PID 1632 wrote to memory of 2948 1632 0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe msrx.exe PID 2948 wrote to memory of 2716 2948 msrx.exe msrx.exe PID 2948 wrote to memory of 2716 2948 msrx.exe msrx.exe PID 2948 wrote to memory of 2716 2948 msrx.exe msrx.exe PID 2948 wrote to memory of 2716 2948 msrx.exe msrx.exe PID 2716 wrote to memory of 1648 2716 msrx.exe msrx.exe PID 2716 wrote to memory of 1648 2716 msrx.exe msrx.exe PID 2716 wrote to memory of 1648 2716 msrx.exe msrx.exe PID 2716 wrote to memory of 1648 2716 msrx.exe msrx.exe PID 1648 wrote to memory of 1976 1648 msrx.exe msrx.exe PID 1648 wrote to memory of 1976 1648 msrx.exe msrx.exe PID 1648 wrote to memory of 1976 1648 msrx.exe msrx.exe PID 1648 wrote to memory of 1976 1648 msrx.exe msrx.exe PID 1976 wrote to memory of 2244 1976 msrx.exe msrx.exe PID 1976 wrote to memory of 2244 1976 msrx.exe msrx.exe PID 1976 wrote to memory of 2244 1976 msrx.exe msrx.exe PID 1976 wrote to memory of 2244 1976 msrx.exe msrx.exe PID 2244 wrote to memory of 1912 2244 msrx.exe msrx.exe PID 2244 wrote to memory of 1912 2244 msrx.exe msrx.exe PID 2244 wrote to memory of 1912 2244 msrx.exe msrx.exe PID 2244 wrote to memory of 1912 2244 msrx.exe msrx.exe PID 1912 wrote to memory of 2936 1912 msrx.exe msrx.exe PID 1912 wrote to memory of 2936 1912 msrx.exe msrx.exe PID 1912 wrote to memory of 2936 1912 msrx.exe msrx.exe PID 1912 wrote to memory of 2936 1912 msrx.exe msrx.exe PID 2784 wrote to memory of 2836 2784 msrx.exe msrx.exe PID 2784 wrote to memory of 2836 2784 msrx.exe msrx.exe PID 2784 wrote to memory of 2836 2784 msrx.exe msrx.exe PID 2784 wrote to memory of 2836 2784 msrx.exe msrx.exe PID 2836 wrote to memory of 2744 2836 msrx.exe msrx.exe PID 2836 wrote to memory of 2744 2836 msrx.exe msrx.exe PID 2836 wrote to memory of 2744 2836 msrx.exe msrx.exe PID 2836 wrote to memory of 2744 2836 msrx.exe msrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 668 "C:\Users\Admin\AppData\Local\Temp\0546c61c6892d5d0752042eb83ea524a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 712 "C:\Windows\SysWOW64\msrx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 716 "C:\Windows\SysWOW64\msrx.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 724 "C:\Windows\SysWOW64\msrx.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 720 "C:\Windows\SysWOW64\msrx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 740 "C:\Windows\SysWOW64\msrx.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 732 "C:\Windows\SysWOW64\msrx.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 748 "C:\Windows\SysWOW64\msrx.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 752 "C:\Windows\SysWOW64\msrx.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 756 "C:\Windows\SysWOW64\msrx.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\msrx.exeFilesize
1.3MB
MD50546c61c6892d5d0752042eb83ea524a
SHA1fc3d37d60fdf1bd7009bb7e2177cf1c1590a299f
SHA2564b615ce3f39df0043bd0205acc6df51f89903de4db05a03b2ca9539164d4f022
SHA5120c2712f5197d357b2ac395af33ffe9ad13382e1793f1e69cd1464df7c16c273523f72bd60f3675cbb7e8798b1d4d20e3a24ab5844a509e42f66a7300e26ed201
-
memory/1632-7-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1632-9-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/1632-12-0x00000000044B0000-0x00000000044B2000-memory.dmpFilesize
8KB
-
memory/1632-8-0x0000000004260000-0x0000000004261000-memory.dmpFilesize
4KB
-
memory/1632-13-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/1632-6-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/1632-5-0x0000000004270000-0x0000000004271000-memory.dmpFilesize
4KB
-
memory/1632-4-0x0000000004480000-0x0000000004481000-memory.dmpFilesize
4KB
-
memory/1632-11-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/1632-14-0x0000000000401000-0x0000000000427000-memory.dmpFilesize
152KB
-
memory/1632-1-0x0000000002080000-0x0000000002168000-memory.dmpFilesize
928KB
-
memory/1632-10-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/1632-3-0x00000000044E0000-0x00000000044E1000-memory.dmpFilesize
4KB
-
memory/1632-2-0x00000000044D0000-0x00000000044D2000-memory.dmpFilesize
8KB
-
memory/1632-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1632-24-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1648-52-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1648-48-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1912-67-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1912-63-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1976-57-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1976-53-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2244-58-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2244-62-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-37-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-42-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-40-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-46-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-39-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-38-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2716-41-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2744-87-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2784-77-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2784-81-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2836-82-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2836-86-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2936-68-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2936-74-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2948-31-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2948-35-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2948-27-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2948-29-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2948-30-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB