Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 11:34
Behavioral task
behavioral1
Sample
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
059dd2c292172e8296dd8d1b09a1a496
-
SHA1
dd3ce2304c51efbde2a65f8bb33e365780459476
-
SHA256
65f2a0650bda4d51f159107ef05754ce6c2b626c28a9457484f8b5a8adf339aa
-
SHA512
dd8c5ab4470328e7ee37a38be6bfedd5b461dc115e34b9e64a46758f3ced310cff967c773ce3347b765a1dcb2207517075445af8070041410b3cdd6af28c1241
-
SSDEEP
24576:lYFj6xcDm02mlyldQ1V7C0K3lSZuI903kyelQbJyHoxCiwn1uHGPPCteP:GFj6x3mgdQ1V7kDX+Ow1BXgK
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 10 IoCs
Processes:
msrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 2252 msrx.exe 756 msrx.exe 924 msrx.exe 2376 msrx.exe 1500 msrx.exe 2760 msrx.exe 3052 msrx.exe 2548 msrx.exe 2448 msrx.exe 2468 msrx.exe -
Loads dropped DLL 20 IoCs
Processes:
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe 2252 msrx.exe 2252 msrx.exe 756 msrx.exe 756 msrx.exe 924 msrx.exe 924 msrx.exe 2376 msrx.exe 2376 msrx.exe 1500 msrx.exe 1500 msrx.exe 2760 msrx.exe 2760 msrx.exe 3052 msrx.exe 3052 msrx.exe 2548 msrx.exe 2548 msrx.exe 2448 msrx.exe 2448 msrx.exe -
Processes:
resource yara_rule \Windows\SysWOW64\msrx.exe themida behavioral1/memory/1320-18-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-26-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-27-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-29-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-30-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-31-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2252-35-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-36-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-37-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-39-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-40-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-41-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/756-45-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/924-47-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/924-51-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2376-52-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2376-56-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1500-57-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/1500-61-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2760-62-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2760-66-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/3052-67-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/3052-71-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2548-72-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2548-76-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2448-77-0x0000000000400000-0x000000000075F000-memory.dmp themida behavioral1/memory/2448-81-0x0000000000400000-0x000000000075F000-memory.dmp themida -
Drops file in System32 directory 22 IoCs
Processes:
msrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exe059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exemsrx.exemsrx.exemsrx.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe File created C:\Windows\SysWOW64\msrx.exe msrx.exe File opened for modification C:\Windows\SysWOW64\msrx.exe msrx.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exepid process 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe 2252 msrx.exe 756 msrx.exe 924 msrx.exe 2376 msrx.exe 1500 msrx.exe 2760 msrx.exe 3052 msrx.exe 2548 msrx.exe 2448 msrx.exe 2468 msrx.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exemsrx.exedescription pid process target process PID 1320 wrote to memory of 2252 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe msrx.exe PID 1320 wrote to memory of 2252 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe msrx.exe PID 1320 wrote to memory of 2252 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe msrx.exe PID 1320 wrote to memory of 2252 1320 059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe msrx.exe PID 2252 wrote to memory of 756 2252 msrx.exe msrx.exe PID 2252 wrote to memory of 756 2252 msrx.exe msrx.exe PID 2252 wrote to memory of 756 2252 msrx.exe msrx.exe PID 2252 wrote to memory of 756 2252 msrx.exe msrx.exe PID 756 wrote to memory of 924 756 msrx.exe msrx.exe PID 756 wrote to memory of 924 756 msrx.exe msrx.exe PID 756 wrote to memory of 924 756 msrx.exe msrx.exe PID 756 wrote to memory of 924 756 msrx.exe msrx.exe PID 924 wrote to memory of 2376 924 msrx.exe msrx.exe PID 924 wrote to memory of 2376 924 msrx.exe msrx.exe PID 924 wrote to memory of 2376 924 msrx.exe msrx.exe PID 924 wrote to memory of 2376 924 msrx.exe msrx.exe PID 2376 wrote to memory of 1500 2376 msrx.exe msrx.exe PID 2376 wrote to memory of 1500 2376 msrx.exe msrx.exe PID 2376 wrote to memory of 1500 2376 msrx.exe msrx.exe PID 2376 wrote to memory of 1500 2376 msrx.exe msrx.exe PID 1500 wrote to memory of 2760 1500 msrx.exe msrx.exe PID 1500 wrote to memory of 2760 1500 msrx.exe msrx.exe PID 1500 wrote to memory of 2760 1500 msrx.exe msrx.exe PID 1500 wrote to memory of 2760 1500 msrx.exe msrx.exe PID 2760 wrote to memory of 3052 2760 msrx.exe msrx.exe PID 2760 wrote to memory of 3052 2760 msrx.exe msrx.exe PID 2760 wrote to memory of 3052 2760 msrx.exe msrx.exe PID 2760 wrote to memory of 3052 2760 msrx.exe msrx.exe PID 3052 wrote to memory of 2548 3052 msrx.exe msrx.exe PID 3052 wrote to memory of 2548 3052 msrx.exe msrx.exe PID 3052 wrote to memory of 2548 3052 msrx.exe msrx.exe PID 3052 wrote to memory of 2548 3052 msrx.exe msrx.exe PID 2548 wrote to memory of 2448 2548 msrx.exe msrx.exe PID 2548 wrote to memory of 2448 2548 msrx.exe msrx.exe PID 2548 wrote to memory of 2448 2548 msrx.exe msrx.exe PID 2548 wrote to memory of 2448 2548 msrx.exe msrx.exe PID 2448 wrote to memory of 2468 2448 msrx.exe msrx.exe PID 2448 wrote to memory of 2468 2448 msrx.exe msrx.exe PID 2448 wrote to memory of 2468 2448 msrx.exe msrx.exe PID 2448 wrote to memory of 2468 2448 msrx.exe msrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 656 "C:\Users\Admin\AppData\Local\Temp\059dd2c292172e8296dd8d1b09a1a496_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 708 "C:\Windows\SysWOW64\msrx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 712 "C:\Windows\SysWOW64\msrx.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 716 "C:\Windows\SysWOW64\msrx.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 720 "C:\Windows\SysWOW64\msrx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 732 "C:\Windows\SysWOW64\msrx.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 736 "C:\Windows\SysWOW64\msrx.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 728 "C:\Windows\SysWOW64\msrx.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 740 "C:\Windows\SysWOW64\msrx.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msrx.exeC:\Windows\system32\msrx.exe 744 "C:\Windows\SysWOW64\msrx.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\msrx.exeFilesize
1.3MB
MD5059dd2c292172e8296dd8d1b09a1a496
SHA1dd3ce2304c51efbde2a65f8bb33e365780459476
SHA25665f2a0650bda4d51f159107ef05754ce6c2b626c28a9457484f8b5a8adf339aa
SHA512dd8c5ab4470328e7ee37a38be6bfedd5b461dc115e34b9e64a46758f3ced310cff967c773ce3347b765a1dcb2207517075445af8070041410b3cdd6af28c1241
-
memory/756-40-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/756-39-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/756-37-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/756-36-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/756-45-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/756-41-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/924-47-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/924-51-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1320-11-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/1320-9-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1320-6-0x0000000004430000-0x0000000004431000-memory.dmpFilesize
4KB
-
memory/1320-2-0x00000000044D0000-0x00000000044D2000-memory.dmpFilesize
8KB
-
memory/1320-13-0x0000000000401000-0x0000000000427000-memory.dmpFilesize
152KB
-
memory/1320-8-0x0000000004420000-0x0000000004421000-memory.dmpFilesize
4KB
-
memory/1320-18-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1320-1-0x0000000000760000-0x0000000000848000-memory.dmpFilesize
928KB
-
memory/1320-5-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/1320-7-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/1320-10-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/1320-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1320-12-0x00000000044B0000-0x00000000044B2000-memory.dmpFilesize
8KB
-
memory/1320-3-0x00000000044E0000-0x00000000044E1000-memory.dmpFilesize
4KB
-
memory/1320-4-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/1500-57-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/1500-61-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-31-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-27-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-30-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-29-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-35-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2252-26-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2376-52-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2376-56-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2448-77-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2448-81-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2548-72-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2548-76-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2760-62-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/2760-66-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/3052-67-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB
-
memory/3052-71-0x0000000000400000-0x000000000075F000-memory.dmpFilesize
3.4MB