Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
-
Size
90KB
-
MD5
2705b56c3ab535f3010fc730f2b88e22
-
SHA1
60211d8cfad0807b4daf478f300299fb05c73947
-
SHA256
92308177ee6693a11cd706276c5726de00eb79abf20dcb51faeb1ad66f8b473d
-
SHA512
2343b568c8282e196662de40b878c13a3f4afb8097e4704268a405f356e4f35413a35f1ef531a1cdbd4c7f085d7cbab82503473c1f53400e1887c429188b1999
-
SSDEEP
1536:P01O8weX0MThcunFMrNUTGS0ve6wFgdmpBIPP/sQZWFx8qu9l0GQHw2z7g8:PUO88qcMMrN3JkSPHuL3
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
pid Process 2604 AdobeARMS.exe 2584 AdobeARMS.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2240-13-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-14-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-12-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-5-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-11-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-3-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-2-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-27-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2584-40-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2584-42-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2584-44-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2584-43-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2584-41-0x0000000000400000-0x000000000048C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "\\AdobeARMS.exe" AdobeARMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" AdobeARMS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1" 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2412 set thread context of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2604 set thread context of 2584 2604 AdobeARMS.exe 30 -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2412 wrote to memory of 2240 2412 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2604 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 29 PID 2240 wrote to memory of 2604 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 29 PID 2240 wrote to memory of 2604 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 29 PID 2240 wrote to memory of 2604 2240 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30 PID 2604 wrote to memory of 2584 2604 AdobeARMS.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\AdobeARMS.exeC:\Users\Admin\AppData\Roaming\AdobeARMS.exe 388 "C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2584
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD52705b56c3ab535f3010fc730f2b88e22
SHA160211d8cfad0807b4daf478f300299fb05c73947
SHA25692308177ee6693a11cd706276c5726de00eb79abf20dcb51faeb1ad66f8b473d
SHA5122343b568c8282e196662de40b878c13a3f4afb8097e4704268a405f356e4f35413a35f1ef531a1cdbd4c7f085d7cbab82503473c1f53400e1887c429188b1999