Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe
-
Size
132KB
-
MD5
04de334d7af9e2097403d599abd6aa8b
-
SHA1
19fdccb209c127b24e6d80fd890df50223c4665d
-
SHA256
22b41b22f675441f2ca4dc11c328c58615ff978e32c4fa07c5a57f88671100ee
-
SHA512
b4879784bfafd65f81a38806d934829da2c8440e5efe709350a20b702e858f9d8802d050cff79a8a23cb560af8cf730d61c63f508571a1723b587258bd9a3f33
-
SSDEEP
3072:oW0DUlKDL2yvB5waMlYkQZfUPrlVlTiIGIkh3rl/:oW0jf0Tv3lT6IkBx
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\ctfmon.exe" 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ctfmon.exectfmon.exepid process 1580 ctfmon.exe 1380 ctfmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\ctfmon.exe" 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process target process PID 1312 set thread context of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1580 set thread context of 1380 1580 ctfmon.exe ctfmon.exe -
Drops file in Windows directory 3 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription ioc process File opened for modification C:\Windows\ctfmon.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe File created C:\Windows\logfile32.txt ctfmon.exe File created C:\Windows\ctfmon.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exepid process 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1380 ctfmon.exe 1380 ctfmon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process Token: SeDebugPrivilege 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe Token: SeDebugPrivilege 1380 ctfmon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exepid process 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 1580 ctfmon.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exectfmon.exedescription pid process target process PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1312 wrote to memory of 1696 1312 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe PID 1696 wrote to memory of 1580 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 1696 wrote to memory of 1580 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 1696 wrote to memory of 1580 1696 04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe PID 1580 wrote to memory of 1380 1580 ctfmon.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\04de334d7af9e2097403d599abd6aa8b_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\ctfmon.exe"C:\Windows\ctfmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\ctfmon.exeC:\Windows\ctfmon.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD504de334d7af9e2097403d599abd6aa8b
SHA119fdccb209c127b24e6d80fd890df50223c4665d
SHA25622b41b22f675441f2ca4dc11c328c58615ff978e32c4fa07c5a57f88671100ee
SHA512b4879784bfafd65f81a38806d934829da2c8440e5efe709350a20b702e858f9d8802d050cff79a8a23cb560af8cf730d61c63f508571a1723b587258bd9a3f33