Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe
-
Size
691KB
-
MD5
0423fc7135f0b7ac671d03ad09a69b26
-
SHA1
9762188fa1d59e9dadc551c415991e4acbf59c5f
-
SHA256
334e56e333eaebbe621bbf0184fd45de0bf3ba3ab667f4086a5d993c03c2ec0e
-
SHA512
0f490edf575612d0ded1c4d58f22084e701780a291de5af1214edf6d7f515ef3df21ae5909883172536d887ab9db66146526ed7e2682067408017021e592827c
-
SSDEEP
12288:sCx1kJpmp7HMYjTcvWVez4zqDvYRIQnIfHjAXd5eqBFtJTcXPca0amUVRFtSn9ou:FKJpu7sJHA4g1IrAN5htJg/zfFIn9b
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
wmibusn.exedescription ioc process File created C:\Windows\SysWOW64\drivers\sysdrv32.sys wmibusn.exe -
Deletes itself 1 IoCs
Processes:
wmibusn.exepid process 2692 wmibusn.exe -
Executes dropped EXE 1 IoCs
Processes:
wmibusn.exepid process 2692 wmibusn.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine 0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
wmibusn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wmibusn.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exewmibusn.exepid process 2884 0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe 2692 wmibusn.exe -
Drops file in Windows directory 2 IoCs
Processes:
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exedescription ioc process File created C:\Windows\system\wmibusn.exe 0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe File opened for modification C:\Windows\system\wmibusn.exe 0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe -
Gathers network information 2 TTPs 21 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 840 ipconfig.exe 2900 ipconfig.exe 2912 ipconfig.exe 1436 ipconfig.exe 2244 ipconfig.exe 828 ipconfig.exe 2364 ipconfig.exe 612 ipconfig.exe 1600 ipconfig.exe 1700 ipconfig.exe 2148 ipconfig.exe 1172 ipconfig.exe 2396 ipconfig.exe 2660 ipconfig.exe 3060 ipconfig.exe 1180 ipconfig.exe 2964 ipconfig.exe 1136 ipconfig.exe 1560 ipconfig.exe 1884 ipconfig.exe 1728 ipconfig.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
wmibusn.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wmibusn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wmibusn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wmibusn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wmibusn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wmibusn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wmibusn.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exewmibusn.exepid process 2884 0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe 2692 wmibusn.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 476 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wmibusn.exedescription pid process Token: SeDebugPrivilege 2692 wmibusn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wmibusn.exedescription pid process target process PID 2692 wrote to memory of 2396 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2396 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2396 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2396 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1136 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1136 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1136 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1136 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2660 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2660 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2660 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2660 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1600 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1600 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1600 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1600 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2912 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2912 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2912 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2912 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1436 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1436 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1436 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1436 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2244 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2244 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2244 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2244 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 828 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 828 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 828 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 828 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 3060 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 3060 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 3060 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 3060 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2364 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2364 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2364 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 2364 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1560 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1560 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1560 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1560 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 612 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 612 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 612 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 612 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1884 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1884 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1884 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1884 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1700 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1700 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1700 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1700 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1180 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1180 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1180 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 1180 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 840 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 840 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 840 2692 wmibusn.exe ipconfig.exe PID 2692 wrote to memory of 840 2692 wmibusn.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0423fc7135f0b7ac671d03ad09a69b26_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
C:\Windows\system\wmibusn.exe"C:\Windows\system\wmibusn.exe"1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2396 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1136 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2660 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1600 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2912 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1436 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2244 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:828 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:3060 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2364 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1560 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:612 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1884 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1700 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1180 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:840 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1728 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2900 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2964 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2148 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:1172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD50423fc7135f0b7ac671d03ad09a69b26
SHA19762188fa1d59e9dadc551c415991e4acbf59c5f
SHA256334e56e333eaebbe621bbf0184fd45de0bf3ba3ab667f4086a5d993c03c2ec0e
SHA5120f490edf575612d0ded1c4d58f22084e701780a291de5af1214edf6d7f515ef3df21ae5909883172536d887ab9db66146526ed7e2682067408017021e592827c