Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe
-
Size
80KB
-
MD5
03dce550e9b7a52b9d9f9cf7ef9e6d9d
-
SHA1
408f8bf503a9d9458a312bc9e21fcccf9d209e82
-
SHA256
c2ddc852580a105675df4a8ddc65249ceeaa60d5893cd0b1f759909633c773fb
-
SHA512
4fe2b0f9adb15279115e72846329ef7bb2f6aa958a6599ea18755019d55adbdb8d6e3caa4a80f5ffa020fc941f31d8f23be919dc67c58bf8c33cf310638e5040
-
SSDEEP
1536:BgWsWt5NCgrLvk6JKLe7+nB7stedqiDV8Z3anehf9jMSEgluqdJ:KW5t5sgAyABwtedqRxVjXVdJ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\system32\\drivers\\BSqBT.exe" 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe -
Drops file in Drivers directory 4 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exeBSqBT.exedescription ioc process File created C:\Windows\SysWOW64\drivers\BSqBT.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\BSqBT.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\BSqBT.exe BSqBT.exe File created C:\Windows\SysWOW64\drivers\BSqBT.exe BSqBT.exe -
Executes dropped EXE 2 IoCs
Processes:
BSqBT.exeBSqBT.exepid process 2984 BSqBT.exe 2692 BSqBT.exe -
Loads dropped DLL 3 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exeBSqBT.exepid process 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 2984 BSqBT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\system32\\drivers\\BSqBT.exe" 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exeBSqBT.exedescription pid process target process PID 2268 set thread context of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2984 set thread context of 2692 2984 BSqBT.exe BSqBT.exe -
Drops file in Windows directory 1 IoCs
Processes:
BSqBT.exedescription ioc process File created C:\Windows\logfile32.txt BSqBT.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exepid process 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exeBSqBT.exedescription pid process target process PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2268 wrote to memory of 2264 2268 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe PID 2264 wrote to memory of 2984 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe BSqBT.exe PID 2264 wrote to memory of 2984 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe BSqBT.exe PID 2264 wrote to memory of 2984 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe BSqBT.exe PID 2264 wrote to memory of 2984 2264 03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe PID 2984 wrote to memory of 2692 2984 BSqBT.exe BSqBT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03dce550e9b7a52b9d9f9cf7ef9e6d9d_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\drivers\BSqBT.exe"C:\Windows\system32\drivers\BSqBT.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\drivers\BSqBT.exe"C:\Windows\system32\drivers\BSqBT.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD503dce550e9b7a52b9d9f9cf7ef9e6d9d
SHA1408f8bf503a9d9458a312bc9e21fcccf9d209e82
SHA256c2ddc852580a105675df4a8ddc65249ceeaa60d5893cd0b1f759909633c773fb
SHA5124fe2b0f9adb15279115e72846329ef7bb2f6aa958a6599ea18755019d55adbdb8d6e3caa4a80f5ffa020fc941f31d8f23be919dc67c58bf8c33cf310638e5040