Analysis
-
max time kernel
149s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 05:45
Static task
static1
Behavioral task
behavioral1
Sample
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
-
Size
267KB
-
MD5
2770949cdb8c3162e0a6ae8eb590b944
-
SHA1
58ee985df907f49099997b5ce804c4578f57df4f
-
SHA256
6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
-
SHA512
9b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1
-
SSDEEP
6144:20WhajtUYfvhbKQ+EDxjz9qOMp9oblPaP9bI884Jkd+5k3Fkl:chsWYfpBlG9SW5II5d
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
pid Process 2252 test1.exe 5084 test1.exe 1456 test1.exe 2304 test1.exe 3892 test1.exe 4700 test1.exe 3204 test1.exe 3912 test1.exe 1700 test1.exe 1984 test1.exe 2996 test1.exe 2264 test1.exe 3880 test1.exe 2288 test1.exe 2392 test1.exe 1352 test1.exe 2120 test1.exe 4416 test1.exe 2064 test1.exe 1736 test1.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe test1.exe File created C:\Windows\SysWOW64\test1.exe test1.exe File opened for modification C:\Windows\SysWOW64\test1.exe 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1344 set thread context of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 2252 set thread context of 5084 2252 test1.exe 83 PID 1456 set thread context of 2304 1456 test1.exe 85 PID 3892 set thread context of 4700 3892 test1.exe 89 PID 3204 set thread context of 3912 3204 test1.exe 97 PID 1700 set thread context of 1984 1700 test1.exe 99 PID 2996 set thread context of 2264 2996 test1.exe 101 PID 3880 set thread context of 2288 3880 test1.exe 103 PID 2392 set thread context of 1352 2392 test1.exe 105 PID 2120 set thread context of 4416 2120 test1.exe 107 PID 2064 set thread context of 1736 2064 test1.exe 109 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\LimeWire\Shared 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\KAZAA 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\eDonkey2000\incoming 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\Grokster\My Grokster\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\eDonkey2000\incoming test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\BearShare\Shared\ test1.exe File created C:\Program Files\ICQ\Shared Files\ test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\KAZAA test1.exe File created C:\Program Files\BearShare\Shared\ 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\Morpheus\My Shared Folder\ test1.exe File created C:\Program Files\LimeWire\Shared test1.exe File created C:\Program Files\Grokster\My Grokster\ test1.exe File created C:\Program Files\KAZAA test1.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 5084 test1.exe 5084 test1.exe 5084 test1.exe 5084 test1.exe 2304 test1.exe 2304 test1.exe 2304 test1.exe 2304 test1.exe 4700 test1.exe 4700 test1.exe 4700 test1.exe 4700 test1.exe 3912 test1.exe 3912 test1.exe 3912 test1.exe 3912 test1.exe 1984 test1.exe 1984 test1.exe 1984 test1.exe 1984 test1.exe 2264 test1.exe 2264 test1.exe 2264 test1.exe 2264 test1.exe 2288 test1.exe 2288 test1.exe 2288 test1.exe 2288 test1.exe 1352 test1.exe 1352 test1.exe 1352 test1.exe 1352 test1.exe 4416 test1.exe 4416 test1.exe 4416 test1.exe 4416 test1.exe 1736 test1.exe 1736 test1.exe 1736 test1.exe 1736 test1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 1344 wrote to memory of 5052 1344 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 81 PID 5052 wrote to memory of 3460 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 56 PID 5052 wrote to memory of 2252 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 82 PID 5052 wrote to memory of 2252 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 82 PID 5052 wrote to memory of 2252 5052 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe 82 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 2252 wrote to memory of 5084 2252 test1.exe 83 PID 5084 wrote to memory of 3460 5084 test1.exe 56 PID 5084 wrote to memory of 1456 5084 test1.exe 84 PID 5084 wrote to memory of 1456 5084 test1.exe 84 PID 5084 wrote to memory of 1456 5084 test1.exe 84 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 1456 wrote to memory of 2304 1456 test1.exe 85 PID 2304 wrote to memory of 3460 2304 test1.exe 56 PID 2304 wrote to memory of 3892 2304 test1.exe 88 PID 2304 wrote to memory of 3892 2304 test1.exe 88 PID 2304 wrote to memory of 3892 2304 test1.exe 88 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 3892 wrote to memory of 4700 3892 test1.exe 89 PID 4700 wrote to memory of 3460 4700 test1.exe 56 PID 4700 wrote to memory of 3204 4700 test1.exe 96 PID 4700 wrote to memory of 3204 4700 test1.exe 96 PID 4700 wrote to memory of 3204 4700 test1.exe 96 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3204 wrote to memory of 3912 3204 test1.exe 97 PID 3912 wrote to memory of 3460 3912 test1.exe 56 PID 3912 wrote to memory of 1700 3912 test1.exe 98 PID 3912 wrote to memory of 1700 3912 test1.exe 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1004 "C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1156 "C:\Windows\SysWOW64\test1.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1008 "C:\Windows\SysWOW64\test1.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1128 "C:\Windows\SysWOW64\test1.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1116 "C:\Windows\SysWOW64\test1.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2996 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1128 "C:\Windows\SysWOW64\test1.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3880 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1120 "C:\Windows\SysWOW64\test1.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2392 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4416 -
C:\Windows\SysWOW64\test1.exeC:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2064 -
C:\Windows\SysWOW64\test1.exeC:\Windows\SysWOW64\test1.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD52770949cdb8c3162e0a6ae8eb590b944
SHA158ee985df907f49099997b5ce804c4578f57df4f
SHA2566b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
SHA5129b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1