Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 12:07
Static task
static1
Behavioral task
behavioral1
Sample
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe
-
Size
168KB
-
MD5
7f25dcb0bfd074a36dd11120167443b7
-
SHA1
3763bd3bf295a9a4244a7f82aaa94fa70748d279
-
SHA256
b3704fffcc57e829bce69086371f497de31499d8c2d9ff06ce86a3f1c2c014b2
-
SHA512
e3314935c8aca7b4532cde1d2c1cc3bc0c662a5bd038c40bc12bfb09ea99fcefeb3570c319b3b9abedaf851bfa15db8cbfc6482ad3290b7645f8c4bc938e7839
-
SSDEEP
3072:dCADZrCf5So78VnkTfDdofYRxYv0sSpMU4HBWsN+oWFcgz7xpM:gOrCyVkmSh4H5MoWFjdpM
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 2 IoCs
Processes:
repsvc.exerepsvc.exepid process 1064 repsvc.exe 4152 repsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "repsvc.exe" 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
repsvc.exe7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\repsvc.exe repsvc.exe File created C:\Windows\SysWOW64\repsvc.exe repsvc.exe File created C:\Windows\SysWOW64\repsvc.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\repsvc.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exerepsvc.exedescription pid process target process PID 3236 set thread context of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 1064 set thread context of 4152 1064 repsvc.exe repsvc.exe -
Processes:
resource yara_rule behavioral2/memory/116-2-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/116-4-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/116-5-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/116-16-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-21-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-20-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-23-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-27-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-28-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-29-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-30-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-31-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-32-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-33-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-34-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/4152-36-0x0000000000400000-0x000000000045E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exerepsvc.exerepsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repsvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exerepsvc.exepid process 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 1064 repsvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exerepsvc.exedescription pid process target process PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 3236 wrote to memory of 116 3236 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe PID 116 wrote to memory of 1064 116 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe repsvc.exe PID 116 wrote to memory of 1064 116 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe repsvc.exe PID 116 wrote to memory of 1064 116 7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe PID 1064 wrote to memory of 4152 1064 repsvc.exe repsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f25dcb0bfd074a36dd11120167443b7_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\repsvc.exe"C:\Windows\system32\repsvc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\repsvc.exe"C:\Windows\SysWOW64\repsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD57f25dcb0bfd074a36dd11120167443b7
SHA13763bd3bf295a9a4244a7f82aaa94fa70748d279
SHA256b3704fffcc57e829bce69086371f497de31499d8c2d9ff06ce86a3f1c2c014b2
SHA512e3314935c8aca7b4532cde1d2c1cc3bc0c662a5bd038c40bc12bfb09ea99fcefeb3570c319b3b9abedaf851bfa15db8cbfc6482ad3290b7645f8c4bc938e7839