Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe
-
Size
64KB
-
MD5
05c9178f744949b3c700658036b81a81
-
SHA1
4055f1b70fdf9a2a4fdca3361ad35c35c5e629aa
-
SHA256
3bb785cb70d29adc0cebe59d99baaaffd764129e04d443c9ffe2499854c5ac08
-
SHA512
d16ba9a724ea37e5134de0917ed6095e82c05a1cd25c321c58673b4a24a1d7d108ac159b725019b42b450872acbd5d66a78d24dabce01bb411ec18d76527dc47
-
SSDEEP
1536:4TPR7T0RrVhlg1n0Cwgm7EHToV2uV5ZpMtt:cIrTldCicToVtV5/Q
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\wjdrive32.exe" 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
wjdrive32.exewjdrive32.exepid process 3284 wjdrive32.exe 4932 wjdrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\wjdrive32.exe" 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription pid process target process PID 2816 set thread context of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 3284 set thread context of 4932 3284 wjdrive32.exe wjdrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription ioc process File created C:\Windows\wjdrive32.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe File opened for modification C:\Windows\wjdrive32.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe File created C:\Windows\%windir%\lfffile32.log wjdrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exepid process 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
05c9178f744949b3c700658036b81a81_JaffaCakes118.exe05c9178f744949b3c700658036b81a81_JaffaCakes118.exewjdrive32.exedescription pid process target process PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 2816 wrote to memory of 3912 2816 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe PID 3912 wrote to memory of 3284 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 3912 wrote to memory of 3284 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 3912 wrote to memory of 3284 3912 05c9178f744949b3c700658036b81a81_JaffaCakes118.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe PID 3284 wrote to memory of 4932 3284 wjdrive32.exe wjdrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05c9178f744949b3c700658036b81a81_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\wjdrive32.exe"C:\Windows\wjdrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\wjdrive32.exe"C:\Windows\wjdrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD505c9178f744949b3c700658036b81a81
SHA14055f1b70fdf9a2a4fdca3361ad35c35c5e629aa
SHA2563bb785cb70d29adc0cebe59d99baaaffd764129e04d443c9ffe2499854c5ac08
SHA512d16ba9a724ea37e5134de0917ed6095e82c05a1cd25c321c58673b4a24a1d7d108ac159b725019b42b450872acbd5d66a78d24dabce01bb411ec18d76527dc47