Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 02:22

General

  • Target

    e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe

  • Size

    48KB

  • MD5

    e824a73d88b9765985521ab74290a3b9

  • SHA1

    342f0a37383772bb20eccaea65052afb1ccfea79

  • SHA256

    b7b961f0673317cae29397cb520b1ed6bb3d152586b906fca98c0d309a5c24b4

  • SHA512

    6cd932d3f637faeeead687f06e794d8c5417cebf5bb8ff128e3ca7513ed2fbd861bc56a80f5d4a5d340b7baa8c63539a384d5f5c5a8096377fb4a3e8a3497e2c

  • SSDEEP

    768:Xt8aSHlCO0Ffbsfd0o/IZmtsQF+hYVhiBqrFx0oaaFa5DO42k9nK6FdM3SLBp:XyaNth2gstsqCza4pUqK6eYBp

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e824a73d88b9765985521ab74290a3b9_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\wrdrive32.exe
      "C:\Windows\wrdrive32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2208

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sssssss.devhoster.com
    wrdrive32.exe
    Remote address:
    8.8.8.8:53
    Request
    sssssss.devhoster.com
    IN A
    Response
    sssssss.devhoster.com
    IN A
    13.248.169.48
    sssssss.devhoster.com
    IN A
    76.223.54.146
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    260 B
    5
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    260 B
    5
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    260 B
    5
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    260 B
    5
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    260 B
    5
  • 13.248.169.48:6971
    sssssss.devhoster.com
    wrdrive32.exe
    208 B
    4
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    sssssss.devhoster.com
    dns
    wrdrive32.exe
    67 B
    99 B
    1
    1

    DNS Request

    sssssss.devhoster.com

    DNS Response

    13.248.169.48
    76.223.54.146

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    25.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\wrdrive32.exe

    Filesize

    48KB

    MD5

    e824a73d88b9765985521ab74290a3b9

    SHA1

    342f0a37383772bb20eccaea65052afb1ccfea79

    SHA256

    b7b961f0673317cae29397cb520b1ed6bb3d152586b906fca98c0d309a5c24b4

    SHA512

    6cd932d3f637faeeead687f06e794d8c5417cebf5bb8ff128e3ca7513ed2fbd861bc56a80f5d4a5d340b7baa8c63539a384d5f5c5a8096377fb4a3e8a3497e2c

  • memory/2208-16-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-8-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-9-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-13-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-19-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-22-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/2208-25-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/5008-2-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/5008-1-0x0000000002240000-0x000000000229D000-memory.dmp

    Filesize

    372KB

  • memory/5008-12-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/5008-11-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

  • memory/5008-0-0x0000000000400000-0x000000000055C000-memory.dmp

    Filesize

    1.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.