Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 22:03
Behavioral task
behavioral1
Sample
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
-
Size
219KB
-
MD5
040aa26e340fc21f5592418762f93c78
-
SHA1
96589badd0c65357b28c135a11593307160d15be
-
SHA256
eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
-
SHA512
849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7
-
SSDEEP
6144:6b3UYmL5+wp7XH51MnD9fpoh+WclrLqE:6beLpJXZ1b+WSyE
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
Processes:
globalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exepid process 536 globalpatch.exe 1576 globalpatch.exe 1736 globalpatch.exe 3500 globalpatch.exe 3280 globalpatch.exe 4824 globalpatch.exe 4524 globalpatch.exe 2012 globalpatch.exe 4900 globalpatch.exe 2292 globalpatch.exe 1004 globalpatch.exe 4812 globalpatch.exe 2916 globalpatch.exe 1256 globalpatch.exe 4604 globalpatch.exe 4528 globalpatch.exe 3776 globalpatch.exe 4444 globalpatch.exe 3684 globalpatch.exe 2212 globalpatch.exe -
Processes:
resource yara_rule behavioral2/memory/1376-0-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1376-2-0x0000000000400000-0x000000000044B000-memory.dmp upx C:\Windows\SysWOW64\globalpatch.exe upx behavioral2/memory/536-12-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/536-20-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1736-31-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3280-41-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4524-44-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4524-51-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4900-54-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4900-61-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1004-64-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1004-71-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2916-80-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4604-89-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3776-92-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3776-98-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3684-108-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in System32 directory 22 IoCs
Processes:
globalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exe040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription ioc process File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File created C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe File opened for modification C:\Windows\SysWOW64\globalpatch.exe globalpatch.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription pid process target process PID 1376 set thread context of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 536 set thread context of 1576 536 globalpatch.exe globalpatch.exe PID 1736 set thread context of 3500 1736 globalpatch.exe globalpatch.exe PID 3280 set thread context of 4824 3280 globalpatch.exe globalpatch.exe PID 4524 set thread context of 2012 4524 globalpatch.exe globalpatch.exe PID 4900 set thread context of 2292 4900 globalpatch.exe globalpatch.exe PID 1004 set thread context of 4812 1004 globalpatch.exe globalpatch.exe PID 2916 set thread context of 1256 2916 globalpatch.exe globalpatch.exe PID 4604 set thread context of 4528 4604 globalpatch.exe globalpatch.exe PID 3776 set thread context of 4444 3776 globalpatch.exe globalpatch.exe PID 3684 set thread context of 2212 3684 globalpatch.exe globalpatch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe040aa26e340fc21f5592418762f93c78_JaffaCakes118.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exeglobalpatch.exedescription pid process target process PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 1376 wrote to memory of 4688 1376 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe PID 4688 wrote to memory of 536 4688 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 4688 wrote to memory of 536 4688 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 4688 wrote to memory of 536 4688 040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 536 wrote to memory of 1576 536 globalpatch.exe globalpatch.exe PID 1576 wrote to memory of 1736 1576 globalpatch.exe globalpatch.exe PID 1576 wrote to memory of 1736 1576 globalpatch.exe globalpatch.exe PID 1576 wrote to memory of 1736 1576 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 1736 wrote to memory of 3500 1736 globalpatch.exe globalpatch.exe PID 3500 wrote to memory of 3280 3500 globalpatch.exe globalpatch.exe PID 3500 wrote to memory of 3280 3500 globalpatch.exe globalpatch.exe PID 3500 wrote to memory of 3280 3500 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 3280 wrote to memory of 4824 3280 globalpatch.exe globalpatch.exe PID 4824 wrote to memory of 4524 4824 globalpatch.exe globalpatch.exe PID 4824 wrote to memory of 4524 4824 globalpatch.exe globalpatch.exe PID 4824 wrote to memory of 4524 4824 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 4524 wrote to memory of 2012 4524 globalpatch.exe globalpatch.exe PID 2012 wrote to memory of 4900 2012 globalpatch.exe globalpatch.exe PID 2012 wrote to memory of 4900 2012 globalpatch.exe globalpatch.exe PID 2012 wrote to memory of 4900 2012 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 4900 wrote to memory of 2292 4900 globalpatch.exe globalpatch.exe PID 2292 wrote to memory of 1004 2292 globalpatch.exe globalpatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 976 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\globalpatch.exe976 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1124 "C:\Windows\SysWOW64\globalpatch.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\globalpatch.exe1124 "C:\Windows\SysWOW64\globalpatch.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1004 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2916 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4604 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3776 -
C:\Windows\SysWOW64\globalpatch.exe1092 "C:\Windows\SysWOW64\globalpatch.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\globalpatch.exeC:\Windows\system32\globalpatch.exe 1084 "C:\Windows\SysWOW64\globalpatch.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3684 -
C:\Windows\SysWOW64\globalpatch.exe1084 "C:\Windows\SysWOW64\globalpatch.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵PID:4552
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD5040aa26e340fc21f5592418762f93c78
SHA196589badd0c65357b28c135a11593307160d15be
SHA256eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
SHA512849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7