Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe
-
Size
90KB
-
MD5
2705b56c3ab535f3010fc730f2b88e22
-
SHA1
60211d8cfad0807b4daf478f300299fb05c73947
-
SHA256
92308177ee6693a11cd706276c5726de00eb79abf20dcb51faeb1ad66f8b473d
-
SHA512
2343b568c8282e196662de40b878c13a3f4afb8097e4704268a405f356e4f35413a35f1ef531a1cdbd4c7f085d7cbab82503473c1f53400e1887c429188b1999
-
SSDEEP
1536:P01O8weX0MThcunFMrNUTGS0ve6wFgdmpBIPP/sQZWFx8qu9l0GQHw2z7g8:PUO88qcMMrN3JkSPHuL3
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
pid Process 3760 AdobeARMS.exe 2880 AdobeARMS.exe -
resource yara_rule behavioral2/memory/4640-1-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-2-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-0-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-8-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-7-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-14-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/4640-6-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-25-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-26-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-24-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-23-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-28-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/2880-29-0x0000000000400000-0x000000000048C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "\\AdobeARMS.exe" AdobeARMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" AdobeARMS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1" 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3860 set thread context of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3760 set thread context of 2880 3760 AdobeARMS.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 4276 3860 WerFault.exe 81 264 3760 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 3860 wrote to memory of 4640 3860 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 88 PID 4640 wrote to memory of 3760 4640 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 89 PID 4640 wrote to memory of 3760 4640 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 89 PID 4640 wrote to memory of 3760 4640 2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe 89 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92 PID 3760 wrote to memory of 2880 3760 AdobeARMS.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 3762⤵
- Program crash
PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\AdobeARMS.exeC:\Users\Admin\AppData\Roaming\AdobeARMS.exe 908 "C:\Users\Admin\AppData\Local\Temp\2705b56c3ab535f3010fc730f2b88e22_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 3764⤵
- Program crash
PID:264
-
-
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2880
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3860 -ip 38601⤵PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3760 -ip 37601⤵PID:3496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD52705b56c3ab535f3010fc730f2b88e22
SHA160211d8cfad0807b4daf478f300299fb05c73947
SHA25692308177ee6693a11cd706276c5726de00eb79abf20dcb51faeb1ad66f8b473d
SHA5122343b568c8282e196662de40b878c13a3f4afb8097e4704268a405f356e4f35413a35f1ef531a1cdbd4c7f085d7cbab82503473c1f53400e1887c429188b1999