Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 15:44

General

  • Target

    e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    e2d4c198cf489e724a91f76f9e3fb00e

  • SHA1

    8661cd99b2fa107d8124cee1740934de248d47bd

  • SHA256

    ff76d34bace404e490aefcc36d341fc63555c0a2f874362be80be7a23ee2f227

  • SHA512

    10d282e99e7c2f24ee9bbfe0acd8feba70384c1892de70046eba1084f4a15cfbbe4d64b0f263cecffdbf3c12c97922b783ddb05052894c41d1f3878731490ef9

  • SSDEEP

    49152:7WKfCRdWutR4D3A1A+hQ88aZQS+asUd91Evw:yKfm4AheMZx+aseKw

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies security service 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg

    Filesize

    2KB

    MD5

    e6d8af5aed642209c88269bf56af50ae

    SHA1

    633d40da997074dc0ed10938ebc49a3aeb3a7fc8

    SHA256

    550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

    SHA512

    6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

  • C:\Users\Admin\AppData\Local\Temp\1.reg

    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

  • C:\a.bat

    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

  • memory/2520-120-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-116-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-117-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-118-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-119-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-1-0x0000000000401000-0x0000000000422000-memory.dmp

    Filesize

    132KB

  • memory/2520-122-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-123-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-124-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-125-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-126-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-127-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-128-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-129-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-130-0x0000000000400000-0x00000000006C8000-memory.dmp

    Filesize

    2.8MB