Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
18-09-2024 22:37
General
-
Target
ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe
-
Size
239KB
-
MD5
ea1948163146fb253f7c28a1afe77f7b
-
SHA1
19c07b297aa70d25de8bc83cfd80603f7abb3f58
-
SHA256
b2ca8ddbae694c93eef254de36e749cd506d4d50962c284ee1ec7bf59492fd30
-
SHA512
6e15a2120695831e024ad45cf72a85283b137a445d76ba9e6e7c45606af2f79931864cee481ff398bfa10bd2951c41d09618c842ccf51ececfa36179f8525364
-
SSDEEP
6144:txCppZZ8PySTftmck9eCUaAAmlgGgUE42:txCb/af0cpCU9ArGgUO
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 22 IoCs
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 20 IoCs
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Drops file in System32 directory 22 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe"1⤵
- Modifies security service
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 988 "C:\Users\Admin\AppData\Local\Temp\ea1948163146fb253f7c28a1afe77f7b_JaffaCakes118.exe"3⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1140 "C:\Windows\SysWOW64\svhost.exe"5⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"7⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"9⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"11⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc13⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess13⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1112 "C:\Windows\SysWOW64\svhost.exe"13⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc15⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess15⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"15⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc17⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess17⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"17⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1108 "C:\Windows\SysWOW64\svhost.exe"19⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc21⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess21⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svhost.exeC:\Windows\system32\svhost.exe 1096 "C:\Windows\SysWOW64\svhost.exe"21⤵
- Modifies security service
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop wscsvc22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc23⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SharedAccess22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess23⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svhost.exe"C:\Windows\SysWOW64\svhost.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5ea1948163146fb253f7c28a1afe77f7b
SHA119c07b297aa70d25de8bc83cfd80603f7abb3f58
SHA256b2ca8ddbae694c93eef254de36e749cd506d4d50962c284ee1ec7bf59492fd30
SHA5126e15a2120695831e024ad45cf72a85283b137a445d76ba9e6e7c45606af2f79931864cee481ff398bfa10bd2951c41d09618c842ccf51ececfa36179f8525364
-
Filesize
265KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
265KB
-
Filesize
265KB
-
Filesize
265KB
-
Filesize
728KB
-
Filesize
265KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
728KB