Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/09/2024, 09:14 UTC

General

  • Target

    e4736922939a028384522b17e9406474_JaffaCakes118.exe

  • Size

    92KB

  • MD5

    e4736922939a028384522b17e9406474

  • SHA1

    920b67cb250abdb593b1104a9922e2468b0fe252

  • SHA256

    ede22512ede04120967bd6911576db405462574b7aa03f50d7e0bb343ad3c6b8

  • SHA512

    def5bca8fce23456801cf6115158fffc9a971b969d50df87e8307f577530c5d5a5c392293ac895a4511e096f4be5b56952a3a879ee784115a345c819c03312ef

  • SSDEEP

    1536:WSquE20GQOxAdhxjv8pf6nztHlERSTwNS2rIsRB4S1XuPfwtVEWY9dnRY/3:pzAxSutFu4mSMRVxqfw7D0nRI

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
        C:\Users\Admin\AppData\Roaming\AdobeARMS.exe 388 "C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
          "C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2704

Network

  • flag-us
    DNS
    oldschne.mine.nu
    AdobeARMS.exe
    Remote address:
    8.8.8.8:53
    Request
    oldschne.mine.nu
    IN A
    Response
No results found
  • 8.8.8.8:53
    oldschne.mine.nu
    dns
    AdobeARMS.exe
    62 B
    123 B
    1
    1

    DNS Request

    oldschne.mine.nu

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AdobeARMS.exe

    Filesize

    92KB

    MD5

    e4736922939a028384522b17e9406474

    SHA1

    920b67cb250abdb593b1104a9922e2468b0fe252

    SHA256

    ede22512ede04120967bd6911576db405462574b7aa03f50d7e0bb343ad3c6b8

    SHA512

    def5bca8fce23456801cf6115158fffc9a971b969d50df87e8307f577530c5d5a5c392293ac895a4511e096f4be5b56952a3a879ee784115a345c819c03312ef

  • memory/1848-20-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-8-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-7-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-9-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-1-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-4-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/1848-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2104-5-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2696-29-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2704-32-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2704-34-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2704-33-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2704-35-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2704-31-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2704-36-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.