Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-09-2024 10:43
General
-
Target
dc35ba5ad019f27749e2be7ebaae59d9_JaffaCakes118.exe
-
Size
92KB
-
MD5
dc35ba5ad019f27749e2be7ebaae59d9
-
SHA1
01b12273875660edaf26d56717305e31d52a3870
-
SHA256
dee584a7639cf59fe152467a2b7487555065f9bfc4b424bfd3e2e7264d9bc331
-
SHA512
0c0f3a5e58db1a3686700ce3f87f16d6e198600136a74faadd2486f25ce0b0486ccf6f5e76abdb6e6e8f956ff410469a7227133b4b7b69db0795d4db11c218d5
-
SSDEEP
1536:1eijpGXn9Ae8zSnZQAPZmg/mLRQCUwljFf+NDHR:QijpfSnZ16LRjtl+R
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc35ba5ad019f27749e2be7ebaae59d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc35ba5ad019f27749e2be7ebaae59d9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc35ba5ad019f27749e2be7ebaae59d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc35ba5ad019f27749e2be7ebaae59d9_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\widrive32.exe"C:\Windows\widrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\widrive32.exe"C:\Windows\widrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5dc35ba5ad019f27749e2be7ebaae59d9
SHA101b12273875660edaf26d56717305e31d52a3870
SHA256dee584a7639cf59fe152467a2b7487555065f9bfc4b424bfd3e2e7264d9bc331
SHA5120c0f3a5e58db1a3686700ce3f87f16d6e198600136a74faadd2486f25ce0b0486ccf6f5e76abdb6e6e8f956ff410469a7227133b4b7b69db0795d4db11c218d5
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB