Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
-
Size
64KB
-
MD5
05c9178f744949b3c700658036b81a81
-
SHA1
4055f1b70fdf9a2a4fdca3361ad35c35c5e629aa
-
SHA256
3bb785cb70d29adc0cebe59d99baaaffd764129e04d443c9ffe2499854c5ac08
-
SHA512
d16ba9a724ea37e5134de0917ed6095e82c05a1cd25c321c58673b4a24a1d7d108ac159b725019b42b450872acbd5d66a78d24dabce01bb411ec18d76527dc47
-
SSDEEP
1536:4TPR7T0RrVhlg1n0Cwgm7EHToV2uV5ZpMtt:cIrTldCicToVtV5/Q
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\wjdrive32.exe" 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
wjdrive32.exewjdrive32.exepid process 2996 wjdrive32.exe 2708 wjdrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\wjdrive32.exe" 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription pid process target process PID 2952 set thread context of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2996 set thread context of 2708 2996 wjdrive32.exe wjdrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription ioc process File created C:\Windows\wjdrive32.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe File opened for modification C:\Windows\wjdrive32.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe File created C:\Windows\%windir%\lfffile32.log wjdrive32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exepid process 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription pid process target process PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2952 wrote to memory of 2380 2952 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2380 wrote to memory of 2996 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 2380 wrote to memory of 2996 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 2380 wrote to memory of 2996 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 2380 wrote to memory of 2996 2380 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe PID 2996 wrote to memory of 2708 2996 wjdrive32.exe wjdrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\wjdrive32.exe"C:\Windows\wjdrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\wjdrive32.exe"C:\Windows\wjdrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD505c9178f744949b3c700658036b81a81
SHA14055f1b70fdf9a2a4fdca3361ad35c35c5e629aa
SHA2563bb785cb70d29adc0cebe59d99baaaffd764129e04d443c9ffe2499854c5ac08
SHA512d16ba9a724ea37e5134de0917ed6095e82c05a1cd25c321c58673b4a24a1d7d108ac159b725019b42b450872acbd5d66a78d24dabce01bb411ec18d76527dc47