Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-11-2024 01:12
General
-
Target
8e6a5d2c1b4aad1715259f4fa34f2100_JaffaCakes118.exe
-
Size
172KB
-
MD5
8e6a5d2c1b4aad1715259f4fa34f2100
-
SHA1
d69b077fbaf8df7c3f129a0adc058344fe9bf1ea
-
SHA256
36d4b1a93eb843d9475f0cd55d1f3775ad327fad7244eb8e9d11baafca9cc7e3
-
SHA512
9a24afd494dcb4a03ad0638928da5efcc84f83629f2e01582f65a5e5cd9b274664dea2fa555d0c32e75fdb7f8dc3da9247a44b3b5593914641fea020a13fb9e8
-
SSDEEP
3072:oSZh+mB1+HuhQjuyoN+ke4HBFhbag6N72w1Tzsy6Haoa8UAERxkj:rntwqQju9vzW+Kd8Ulq
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 33 IoCs
-
Loads dropped DLL 33 IoCs
-
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 51 IoCs
-
Suspicious use of SetThreadContext 17 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6a5d2c1b4aad1715259f4fa34f2100_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6a5d2c1b4aad1715259f4fa34f2100_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8e6a5d2c1b4aad1715259f4fa34f2100_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e6a5d2c1b4aad1715259f4fa34f2100_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6A5D~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\8E6A5D~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD58e6a5d2c1b4aad1715259f4fa34f2100
SHA1d69b077fbaf8df7c3f129a0adc058344fe9bf1ea
SHA25636d4b1a93eb843d9475f0cd55d1f3775ad327fad7244eb8e9d11baafca9cc7e3
SHA5129a24afd494dcb4a03ad0638928da5efcc84f83629f2e01582f65a5e5cd9b274664dea2fa555d0c32e75fdb7f8dc3da9247a44b3b5593914641fea020a13fb9e8
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
408KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB