Analysis
-
max time kernel
139s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 22:03
Behavioral task
behavioral1
Sample
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
-
Size
219KB
-
MD5
040aa26e340fc21f5592418762f93c78
-
SHA1
96589badd0c65357b28c135a11593307160d15be
-
SHA256
eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
-
SHA512
849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7
-
SSDEEP
6144:6b3UYmL5+wp7XH51MnD9fpoh+WclrLqE:6beLpJXZ1b+WSyE
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 16 IoCs
Processes:
globalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exepid process 2648 globalpatch.exe 1896 globalpatch.exe 2296 globalpatch.exe 680 globalpatch.exe 1532 globalpatch.exe 976 globalpatch.exe 1736 globalpatch.exe 2632 globalpatch.exe 704 globalpatch.exe 1976 globalpatch.exe 2380 globalpatch.exe 1224 globalpatch.exe 3036 globalpatch.exe 2672 globalpatch.exe 2836 globalpatch.exe 2664 globalpatch.exe -
Loads dropped DLL 64 IoCs
Processes:
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exepid process 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 2648 globalpatch.exe 2648 globalpatch.exe 2648 globalpatch.exe 2648 globalpatch.exe 1896 globalpatch.exe 1896 globalpatch.exe 1896 globalpatch.exe 1896 globalpatch.exe 2296 globalpatch.exe 2296 globalpatch.exe 2296 globalpatch.exe 2296 globalpatch.exe 680 globalpatch.exe 680 globalpatch.exe 680 globalpatch.exe 680 globalpatch.exe 1532 globalpatch.exe 1532 globalpatch.exe 1532 globalpatch.exe 1532 globalpatch.exe 976 globalpatch.exe 976 globalpatch.exe 976 globalpatch.exe 976 globalpatch.exe 1736 globalpatch.exe 1736 globalpatch.exe 1736 globalpatch.exe 1736 globalpatch.exe 2632 globalpatch.exe 2632 globalpatch.exe 2632 globalpatch.exe 2632 globalpatch.exe 704 globalpatch.exe 704 globalpatch.exe 704 globalpatch.exe 704 globalpatch.exe 1976 globalpatch.exe 1976 globalpatch.exe 1976 globalpatch.exe 1976 globalpatch.exe 2380 globalpatch.exe 2380 globalpatch.exe 2380 globalpatch.exe 2380 globalpatch.exe 1224 globalpatch.exe 1224 globalpatch.exe 1224 globalpatch.exe 1224 globalpatch.exe 3036 globalpatch.exe 3036 globalpatch.exe 3036 globalpatch.exe 3036 globalpatch.exe 2672 globalpatch.exe 2672 globalpatch.exe 2672 globalpatch.exe 2672 globalpatch.exe 2836 globalpatch.exe 2836 globalpatch.exe 2836 globalpatch.exe 2836 globalpatch.exe 2664 globalpatch.exe 2664 globalpatch.exe 2664 globalpatch.exe -
Processes:
resource yara_rule behavioral1/memory/2152-0-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2152-16-0x0000000000400000-0x000000000044B000-memory.dmp upx \Windows\SysWOW64\globalpatch.exe upx behavioral1/memory/2376-22-0x0000000002470000-0x00000000024BB000-memory.dmp upx behavioral1/memory/2648-60-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2296-87-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1532-123-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1736-155-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2632-157-0x0000000000880000-0x00000000008CB000-memory.dmp upx behavioral1/memory/704-189-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2380-216-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/3036-244-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2836-250-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2836-270-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in System32 directory 18 IoCs
Processes:
globalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exe040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription ioc process File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription pid process target process PID 2152 set thread context of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2648 set thread context of 1896 2648 globalpatch.exe globalpatch.exe PID 2296 set thread context of 680 2296 globalpatch.exe globalpatch.exe PID 1532 set thread context of 976 1532 globalpatch.exe globalpatch.exe PID 1736 set thread context of 2632 1736 globalpatch.exe globalpatch.exe PID 704 set thread context of 1976 704 globalpatch.exe globalpatch.exe PID 2380 set thread context of 1224 2380 globalpatch.exe globalpatch.exe PID 3036 set thread context of 2672 3036 globalpatch.exe globalpatch.exe PID 2836 set thread context of 2664 2836 globalpatch.exe globalpatch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription pid process target process PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2152 wrote to memory of 2376 2152 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2376 wrote to memory of 2648 2376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 2648 wrote to memory of 1896 2648 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 1896 wrote to memory of 2296 1896 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 2296 wrote to memory of 680 2296 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 680 wrote to memory of 1532 680 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe PID 1532 wrote to memory of 976 1532 globalpatch.exe globalpatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 476 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\globalpatch.exe476 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:704 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2380 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2836 -
C:\Windows\SysWOW64\globalpatch.exe580 "C:\Windows\SysWOW64\globalpatch.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD5040aa26e340fc21f5592418762f93c78
SHA196589badd0c65357b28c135a11593307160d15be
SHA256eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
SHA512849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7