Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 05:45
Static task
static1
Behavioral task
behavioral1
Sample
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
-
Size
267KB
-
MD5
2770949cdb8c3162e0a6ae8eb590b944
-
SHA1
58ee985df907f49099997b5ce804c4578f57df4f
-
SHA256
6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
-
SHA512
9b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1
-
SSDEEP
6144:20WhajtUYfvhbKQ+EDxjz9qOMp9oblPaP9bI884Jkd+5k3Fkl:chsWYfpBlG9SW5II5d
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
pid Process 2932 test1.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\test1.exe 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\test1.exe 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\eDonkey2000\incoming 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\KAZAA 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\Morpheus\My Shared Folder\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\BearShare\Shared\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\ICQ\Shared Files\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\Grokster\My Grokster\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\LimeWire\Shared 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 1636 wrote to memory of 2100 1636 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 30 PID 2100 wrote to memory of 1208 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 21 PID 2100 wrote to memory of 2932 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 31 PID 2100 wrote to memory of 2932 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 31 PID 2100 wrote to memory of 2932 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 31 PID 2100 wrote to memory of 2932 2100 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 472 "C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"4⤵
- Executes dropped EXE
PID:2932
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD52770949cdb8c3162e0a6ae8eb590b944
SHA158ee985df907f49099997b5ce804c4578f57df4f
SHA2566b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
SHA5129b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1