Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
18-09-2024 18:37
General
-
Target
e9bd66c8df9cdcb8690146cd59c74f6c_JaffaCakes118.exe
-
Size
84KB
-
MD5
e9bd66c8df9cdcb8690146cd59c74f6c
-
SHA1
10cb2be5c94ede12115d7c2e2ee82c523185b00d
-
SHA256
49f2c1872bdc6bf4524f87016ee0e7f9a5b23e75dee49c2638c08c37236605c8
-
SHA512
878be14d2433e698073aba39e98546e397b0bc3278fb4335bdb6bb550ec839a5cac51a4efa59376c43d0fc4f48aa1b55630a9b27251258447e5bf2539f093774
-
SSDEEP
1536:u4EQphu7av/vZ91jv/97UyX5EQCUwljFf+NDHA:u6ruWv/71pwyX5Ejtl+A
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9bd66c8df9cdcb8690146cd59c74f6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9bd66c8df9cdcb8690146cd59c74f6c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e9bd66c8df9cdcb8690146cd59c74f6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9bd66c8df9cdcb8690146cd59c74f6c_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\widrive32.exe"C:\Windows\widrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\widrive32.exe"C:\Windows\widrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5e9bd66c8df9cdcb8690146cd59c74f6c
SHA110cb2be5c94ede12115d7c2e2ee82c523185b00d
SHA25649f2c1872bdc6bf4524f87016ee0e7f9a5b23e75dee49c2638c08c37236605c8
SHA512878be14d2433e698073aba39e98546e397b0bc3278fb4335bdb6bb550ec839a5cac51a4efa59376c43d0fc4f48aa1b55630a9b27251258447e5bf2539f093774
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB