Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 09:14 UTC
Static task
static1
Behavioral task
behavioral1
Sample
e4736922939a028384522b17e9406474_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4736922939a028384522b17e9406474_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e4736922939a028384522b17e9406474_JaffaCakes118.exe
-
Size
92KB
-
MD5
e4736922939a028384522b17e9406474
-
SHA1
920b67cb250abdb593b1104a9922e2468b0fe252
-
SHA256
ede22512ede04120967bd6911576db405462574b7aa03f50d7e0bb343ad3c6b8
-
SHA512
def5bca8fce23456801cf6115158fffc9a971b969d50df87e8307f577530c5d5a5c392293ac895a4511e096f4be5b56952a3a879ee784115a345c819c03312ef
-
SSDEEP
1536:WSquE20GQOxAdhxjv8pf6nztHlERSTwNS2rIsRB4S1XuPfwtVEWY9dnRY/3:pzAxSutFu4mSMRVxqfw7D0nRI
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
pid Process 2696 AdobeARMS.exe 2704 AdobeARMS.exe -
Loads dropped DLL 3 IoCs
pid Process 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 2696 AdobeARMS.exe -
resource yara_rule behavioral1/memory/1848-8-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1848-7-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1848-9-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1848-4-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1848-20-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-32-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-34-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-33-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-35-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-31-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2704-36-0x0000000000400000-0x000000000048C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1" e4736922939a028384522b17e9406474_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" e4736922939a028384522b17e9406474_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "\\AdobeARMS.exe" AdobeARMS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe" AdobeARMS.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2104 set thread context of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2696 set thread context of 2704 2696 AdobeARMS.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeARMS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4736922939a028384522b17e9406474_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4736922939a028384522b17e9406474_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 2104 wrote to memory of 1848 2104 e4736922939a028384522b17e9406474_JaffaCakes118.exe 30 PID 1848 wrote to memory of 2696 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 31 PID 1848 wrote to memory of 2696 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 31 PID 1848 wrote to memory of 2696 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 31 PID 1848 wrote to memory of 2696 1848 e4736922939a028384522b17e9406474_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32 PID 2696 wrote to memory of 2704 2696 AdobeARMS.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\AdobeARMS.exeC:\Users\Admin\AppData\Roaming\AdobeARMS.exe 388 "C:\Users\Admin\AppData\Local\Temp\e4736922939a028384522b17e9406474_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5e4736922939a028384522b17e9406474
SHA1920b67cb250abdb593b1104a9922e2468b0fe252
SHA256ede22512ede04120967bd6911576db405462574b7aa03f50d7e0bb343ad3c6b8
SHA512def5bca8fce23456801cf6115158fffc9a971b969d50df87e8307f577530c5d5a5c392293ac895a4511e096f4be5b56952a3a879ee784115a345c819c03312ef