Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 07:29 UTC
Behavioral task
behavioral1
Sample
e448c3328c9b70172469186858b16e08_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e448c3328c9b70172469186858b16e08_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e448c3328c9b70172469186858b16e08_JaffaCakes118.exe
-
Size
11KB
-
MD5
e448c3328c9b70172469186858b16e08
-
SHA1
bd8d332c62e4402d30a5b6dd2dc9c40c9b589281
-
SHA256
bbb7122d529b9c0393a45114b482495eddf00463b852738ccd7e002dfbabecb1
-
SHA512
3ae041cbb37752348957f1d4cb2c09af7db961968192576bb529e72d62d8764da4d740cd6a9720aa1f20ced781dc1c954a23da6a396d85c5ead965d6ea1e89ce
-
SSDEEP
12:VtGSGK4d//UHwGlIFWVd2UROmDvOF5+4aF90exkJemIgY2GulBM5B:VtGStCOlhF9Dvk5SP0L/bG1B
Malware Config
Extracted
metasploit
windows/reverse_nonx_tcp
10.216.64.64:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2192 2180 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e448c3328c9b70172469186858b16e08_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2192 2180 e448c3328c9b70172469186858b16e08_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2192 2180 e448c3328c9b70172469186858b16e08_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2192 2180 e448c3328c9b70172469186858b16e08_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2192 2180 e448c3328c9b70172469186858b16e08_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e448c3328c9b70172469186858b16e08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e448c3328c9b70172469186858b16e08_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 362⤵
- Program crash
PID:2192
-