Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe
-
Size
48KB
-
MD5
e824a73d88b9765985521ab74290a3b9
-
SHA1
342f0a37383772bb20eccaea65052afb1ccfea79
-
SHA256
b7b961f0673317cae29397cb520b1ed6bb3d152586b906fca98c0d309a5c24b4
-
SHA512
6cd932d3f637faeeead687f06e794d8c5417cebf5bb8ff128e3ca7513ed2fbd861bc56a80f5d4a5d340b7baa8c63539a384d5f5c5a8096377fb4a3e8a3497e2c
-
SSDEEP
768:Xt8aSHlCO0Ffbsfd0o/IZmtsQF+hYVhiBqrFx0oaaFa5DO42k9nK6FdM3SLBp:XyaNth2gstsqCza4pUqK6eYBp
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2208 wrdrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\wrdrive32.exe e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe File opened for modification C:\Windows\wrdrive32.exe e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe File created C:\Windows\%windir%\lfffile32.log wrdrive32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrdrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2208 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 82 PID 5008 wrote to memory of 2208 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 82 PID 5008 wrote to memory of 2208 5008 e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\wrdrive32.exe"C:\Windows\wrdrive32.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2208
-
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsssssss.devhoster.comIN AResponsesssssss.devhoster.comIN A13.248.169.48sssssss.devhoster.comIN A76.223.54.146
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
67 B 99 B 1 1
DNS Request
sssssss.devhoster.com
DNS Response
13.248.169.4876.223.54.146
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5e824a73d88b9765985521ab74290a3b9
SHA1342f0a37383772bb20eccaea65052afb1ccfea79
SHA256b7b961f0673317cae29397cb520b1ed6bb3d152586b906fca98c0d309a5c24b4
SHA5126cd932d3f637faeeead687f06e794d8c5417cebf5bb8ff128e3ca7513ed2fbd861bc56a80f5d4a5d340b7baa8c63539a384d5f5c5a8096377fb4a3e8a3497e2c