Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
16-09-2024 22:47
General
-
Target
e5b44088941e2fe5ec8f8e160d7c5f11_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
e5b44088941e2fe5ec8f8e160d7c5f11
-
SHA1
d8dc8fb855eaaa35e6c4bd84fdb8ac42450ee2d7
-
SHA256
235ca0544fcf3f022b2939f2b3c0f81aee82e888b9d764ab8d22fe1ed0f13248
-
SHA512
0eac3fc40fe0055348aab7ea1d3ec39ebf051786acda53f1f3feeda73eafc2999d8428ee83ed7ae892240d6f65e57e583df63c45783104f37a41ca4561d4d435
-
SSDEEP
24576:/Mz40YtokrysuW6xWAnij/m/zjFFtjxJDjTX7eQ5AlKO8eb47IqM6r:kE0YtokrXYnij/mLdjxJvvL5Alx8eb43
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 20 IoCs
-
Themida packer 29 IoCs
Detects Themida, an advanced Windows software protection system.
-
Drops file in System32 directory 22 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs .reg file with regedit 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b44088941e2fe5ec8f8e160d7c5f11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5b44088941e2fe5ec8f8e160d7c5f11_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 664 "C:\Users\Admin\AppData\Local\Temp\e5b44088941e2fe5ec8f8e160d7c5f11_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 708 "C:\Windows\SysWOW64\wiunpdate"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 720 "C:\Windows\SysWOW64\wiunpdate"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 728 "C:\Windows\SysWOW64\wiunpdate"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 732 "C:\Windows\SysWOW64\wiunpdate"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 736 "C:\Windows\SysWOW64\wiunpdate"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 740 "C:\Windows\SysWOW64\wiunpdate"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 744 "C:\Windows\SysWOW64\wiunpdate"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 748 "C:\Windows\SysWOW64\wiunpdate"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\wiunpdateC:\Windows\system32\wiunpdate 752 "C:\Windows\SysWOW64\wiunpdate"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
1KB
MD5748bce4dacebbbd388af154a1df22078
SHA10eeeb108678f819cd437d53b927feedf36aabc64
SHA2561585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1
-
Filesize
576B
MD58a0897226da780b90c11da0756b361f1
SHA167f813e8733ad75a2147c59cca102a60274daeab
SHA256115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee
SHA51255e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642
-
Filesize
1KB
MD5a57e37dfb6f88b2d04424936ed0b4afb
SHA135e2f81486b8420b88b7693ad3e92f846367cb12
SHA256411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA51241f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448
-
Filesize
574B
MD55020988c301a6bf0c54a293ddf64837c
SHA15b65e689a2988b9a739d53565b2a847f20d70f09
SHA256a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf
-
Filesize
478B
MD51a00c84e2e8a76c3caa6c0b89f9f0d6d
SHA12650e962d49c5800edb569ee1b989edc8868d9b9
SHA256f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6
SHA512a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c
-
Filesize
1KB
MD5584f47a0068747b3295751a0d591f4ee
SHA17886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257
-
Filesize
2KB
MD5fa83299c5a0d8714939977af6bdafa92
SHA146a4abab9b803a7361ab89d0ca000a367550e23c
SHA256f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03
SHA51285e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599
-
Filesize
1KB
MD5908860a865f8ed2e14085e35256578dd
SHA17ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
1.2MB
MD5e5b44088941e2fe5ec8f8e160d7c5f11
SHA1d8dc8fb855eaaa35e6c4bd84fdb8ac42450ee2d7
SHA256235ca0544fcf3f022b2939f2b3c0f81aee82e888b9d764ab8d22fe1ed0f13248
SHA5120eac3fc40fe0055348aab7ea1d3ec39ebf051786acda53f1f3feeda73eafc2999d8428ee83ed7ae892240d6f65e57e583df63c45783104f37a41ca4561d4d435
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
856KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB