Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 10:49
Static task
static1
Behavioral task
behavioral1
Sample
2845f330dde45ee528384e37f4826885_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2845f330dde45ee528384e37f4826885_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2845f330dde45ee528384e37f4826885_JaffaCakes118.exe
-
Size
250KB
-
MD5
2845f330dde45ee528384e37f4826885
-
SHA1
5d6aa18e6af5cd5a02048802f0345b54ba7fe250
-
SHA256
d38cfc73f632ad49cd23775b6030f4744ab5b485f7591b468553a0d21fa60d2d
-
SHA512
4e91596b66e43acd7b5ded1f5c0727b06e87975c6a35d84bb6cae220e60f90eff83074dba6d8c1cf0542734fa39cf17ec33a0fc652221fce1b253f7dbe5b283b
-
SSDEEP
6144:QQz2C+7C1+QjkEPeIFhr9jlIRscmExWhoCq:32CWC1feIFr6gExW4
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
resource yara_rule behavioral1/memory/2676-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-9-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-8-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-6-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-5-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-11-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2136 set thread context of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 2700 2676 WerFault.exe 30 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2676 2136 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 30 PID 2676 wrote to memory of 2700 2676 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 31 PID 2676 wrote to memory of 2700 2676 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 31 PID 2676 wrote to memory of 2700 2676 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 31 PID 2676 wrote to memory of 2700 2676 2845f330dde45ee528384e37f4826885_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2845f330dde45ee528384e37f4826885_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2845f330dde45ee528384e37f4826885_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\2845f330dde45ee528384e37f4826885_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2845f330dde45ee528384e37f4826885_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1403⤵
- Program crash
PID:2700
-
-