Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
-
Size
132KB
-
MD5
04de334d7af9e2097403d599abd6aa8b
-
SHA1
19fdccb209c127b24e6d80fd890df50223c4665d
-
SHA256
22b41b22f675441f2ca4dc11c328c58615ff978e32c4fa07c5a57f88671100ee
-
SHA512
b4879784bfafd65f81a38806d934829da2c8440e5efe709350a20b702e858f9d8802d050cff79a8a23cb560af8cf730d61c63f508571a1723b587258bd9a3f33
-
SSDEEP
3072:oW0DUlKDL2yvB5waMlYkQZfUPrlVlTiIGIkh3rl/:oW0jf0Tv3lT6IkBx
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\ctfmon.exe" 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ctfmon.exectfmon.exepid process 2800 ctfmon.exe 2712 ctfmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\ctfmon.exe" 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process target process PID 2924 set thread context of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2800 set thread context of 2712 2800 ctfmon.exe ctfmon.exe -
Drops file in Windows directory 3 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription ioc process File created C:\Windows\ctfmon.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe File opened for modification C:\Windows\ctfmon.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe File created C:\Windows\logfile32.txt ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exepid process 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 2712 ctfmon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process Token: SeDebugPrivilege 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe Token: SeDebugPrivilege 2712 ctfmon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exepid process 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 2800 ctfmon.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process target process PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2924 wrote to memory of 2236 2924 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 2236 wrote to memory of 2800 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 2236 wrote to memory of 2800 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 2236 wrote to memory of 2800 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 2236 wrote to memory of 2800 2236 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe PID 2800 wrote to memory of 2712 2800 ctfmon.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\ctfmon.exe"C:\Windows\ctfmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\ctfmon.exeC:\Windows\ctfmon.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD504de334d7af9e2097403d599abd6aa8b
SHA119fdccb209c127b24e6d80fd890df50223c4665d
SHA25622b41b22f675441f2ca4dc11c328c58615ff978e32c4fa07c5a57f88671100ee
SHA512b4879784bfafd65f81a38806d934829da2c8440e5efe709350a20b702e858f9d8802d050cff79a8a23cb560af8cf730d61c63f508571a1723b587258bd9a3f33