Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
07-09-2024 23:36
General
-
Target
d310330ef13f8869ea1701800008ffc0_JaffaCakes118.exe
-
Size
113KB
-
MD5
d310330ef13f8869ea1701800008ffc0
-
SHA1
abdfeba5fe5046006437b8352373dbdee2e25120
-
SHA256
58ebbbd18b52a2575838b6c49c76bf3c1e470f24eea505f47a7e65fde555ff68
-
SHA512
1d6568a83949594c2b1338f13e2a5b95609248e51ae629572a5a2c976fbf73ee9f55d7c3697cb2ddfbf62154c72847fef4e65cdbf529e3264439a4bbc964f1d1
-
SSDEEP
3072:GmmboOJbFdgqt8pCRGy9XqYgqXubbaZ90v5NpXIo:u0OJbFqqOiGyBgqXuvL
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d310330ef13f8869ea1701800008ffc0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d310330ef13f8869ea1701800008ffc0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d310330ef13f8869ea1701800008ffc0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d310330ef13f8869ea1701800008ffc0_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\x.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\usb_drv.exe"C:\Windows\usb_drv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\usb_drv.exe"C:\Windows\usb_drv.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5d310330ef13f8869ea1701800008ffc0
SHA1abdfeba5fe5046006437b8352373dbdee2e25120
SHA25658ebbbd18b52a2575838b6c49c76bf3c1e470f24eea505f47a7e65fde555ff68
SHA5121d6568a83949594c2b1338f13e2a5b95609248e51ae629572a5a2c976fbf73ee9f55d7c3697cb2ddfbf62154c72847fef4e65cdbf529e3264439a4bbc964f1d1
-
Filesize
53B
MD5e6ed7be2b9572503f07663ca6e53759f
SHA17ad80bd38f2a27e06c111b551c76ad0a0585c194
SHA256b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9
SHA512e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
4KB