Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-11-2024 04:07
General
-
Target
8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe
-
Size
760KB
-
MD5
8f128e6c0c42bd73084daf6f42e79663
-
SHA1
26c5ebb8f7394f8d9a46b7b5cc13fddcdb786535
-
SHA256
06d0053abd5c3b62b77f18d22db7bb4646e26c1433cfbdfe76747195c23d5654
-
SHA512
229b8e7a5b1bcef6227dc9158b873730ce31e4e719861d1b63874c4f974a08e322e9622d70cd4e04a776a3001a356681edd093770762d18f84f77908b6a9b391
-
SSDEEP
12288:Yc4HGMupg4/8gsJwI7hJiCc9NNfftsAd/cYbQQNWQvviR1qxYNpl/RF0k3hf1Q5l:H4HGPyRdozvtryiQQNN3iR1n7HNhf1QH
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies security service 2 TTPs 20 IoCs
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 21 IoCs
-
Drops file in System32 directory 22 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Runs .reg file with regedit 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 704 "C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 704 "C:\Users\Admin\AppData\Local\Temp\8f128e6c0c42bd73084daf6f42e79663_JaffaCakes118.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 760 "C:\Windows\SysWOW64\msnmsgr.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 760 "C:\Windows\SysWOW64\msnmsgr.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 784 "C:\Windows\SysWOW64\msnmsgr.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 784 "C:\Windows\SysWOW64\msnmsgr.exe"8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 796 "C:\Windows\SysWOW64\msnmsgr.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 796 "C:\Windows\SysWOW64\msnmsgr.exe"10⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 800 "C:\Windows\SysWOW64\msnmsgr.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 800 "C:\Windows\SysWOW64\msnmsgr.exe"12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 816 "C:\Windows\SysWOW64\msnmsgr.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 816 "C:\Windows\SysWOW64\msnmsgr.exe"14⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg16⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 828 "C:\Windows\SysWOW64\msnmsgr.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 828 "C:\Windows\SysWOW64\msnmsgr.exe"16⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg18⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 840 "C:\Windows\SysWOW64\msnmsgr.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 840 "C:\Windows\SysWOW64\msnmsgr.exe"18⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg20⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 856 "C:\Windows\SysWOW64\msnmsgr.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 856 "C:\Windows\SysWOW64\msnmsgr.exe"20⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat21⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg22⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 860 "C:\Windows\SysWOW64\msnmsgr.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\msnmsgr.exeC:\Windows\system32\msnmsgr.exe 860 "C:\Windows\SysWOW64\msnmsgr.exe"22⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg24⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
113B
MD5afc13e8e2c91750aa13411f1140dbc42
SHA15326b2ca31963b5255b29036be41e9963b69026b
SHA2566a6e2bde5b3dd045670a3285c0a93924e1539bb417c3f443974399a236b6b7fa
SHA512cb3c8f8ff61234158cdb9ea4b0d03aec8b19620ae0fb301ba5f3a600552660c61c71c1ea3c97b02028cda61aca9ef5dbf58bd82b63608fba183c6ad821aa892f
-
Filesize
113B
MD5aa748ff89963b46055f4d3b408a7038c
SHA19b1eb849ed1a8afce9b7efbf66390e3452d47935
SHA256268d5ce94fafee1309616ff6a1a46418d33189575542092773cd8ef4682295e6
SHA512e6b498cc5f642886fecf46e32acd0edeb11f08b8f1c4a4781b3a1999d2df8a013e2272e5670eb952b3f3bcd2ed489af0b582acf47eb315115e34b5a4137318a6
-
Filesize
113B
MD525f42764207610cf62c8900674cddd0e
SHA109a5f673645cba2af4f609580934bae7d46c5d3a
SHA2562885c7f4c965ebaf1f39941e1b4e690dfd03e2c06fbaad5fc43e6866e2550ce2
SHA512db346fe457d902996bc0ec54b33afdf840d2da0c0d033f5589dab0a63cfe5ece5be5f78834ba3d4da432965ea294568ca66e7ab8a788ad0042bc12cf75efca61
-
Filesize
113B
MD596e56219bfccbc3cd1e550d061cd9b8e
SHA10b92e1ce8dfa6ac1a98a61597bef858263844b69
SHA256dc16b31308ffecd9e945806345d2115e26562e118b2bf40a2e80e5c3347ab940
SHA5120fb95ec1ee74dacdc4520a554dc083c13e24772d079bdaa54b846f11f00b6f1c958861c21c942b3ce0cad1f4751a024086ec3fd587d693dc451b757283cfe256
-
Filesize
113B
MD5dd2c352787f6c3bdec125fd124199677
SHA1ecd79f83acbf9a42743ad8d057626ebe3bec6c64
SHA25654f7ce75d0fe9dcabb609a3bd5d0383c2d5fda062667caea56f3bbe386a44eb5
SHA512021b1e2f1c2512423e0394154a24d98dbfe6243252795a3ae55f8c6afd4ec629b803b853ddda14ba6fca3be6c692c660a794037a67ac65d749dce6b0f8a28ed9
-
Filesize
113B
MD566e9d5caf98bbefaf93368644ca24a78
SHA12c6abf79a2ae5ce191d493de99901190209166d7
SHA2565c0616031499df9ee9159e3896d158c06107ac2cd0b6211832d220516bee4970
SHA512622d0d5523d7def5190a12017d2583860181f08082e36ad55286ef8f6d9d9f0245949a0f88706bb8cf0bf17565a3dd14622329775cd83bfb3a3ec2c549e61ba7
-
Filesize
113B
MD5b2c2b930b0d0fc38d7619d6fb03efe66
SHA107e90789ab7ae9a33d8492d4356e90b8085e2fc4
SHA256b4cfc5f80755558872803d4948bc1684060a70d1f56d2627a0239c47ee2b7462
SHA512a9f56c3ae0278ab217eb7a5448e7f4649040a0f5c84b7ceeda93fb382cefbc71fc3f72f48da2d9605b2153bd09094917646d68d3a994cf8c055e7a94c9f0a022
-
Filesize
113B
MD506ec8d15994d80e9105ff2b88d721865
SHA19ce21a0e02c7896eefc6c3167916236047a16ba2
SHA2565e80d4b78e84c4fa8270410f800afbf50a530507b45b47dcb628380476ce5193
SHA512e85403ed7b823501ed1912922cfb408dc7e8c97d9c1c9d8f8c90f38971257e06d91c2bd70904d8f202f799cff3454d7a557f0f73971e9adfe9bdb452e59661dc
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
760KB
MD58f128e6c0c42bd73084daf6f42e79663
SHA126c5ebb8f7394f8d9a46b7b5cc13fddcdb786535
SHA25606d0053abd5c3b62b77f18d22db7bb4646e26c1433cfbdfe76747195c23d5654
SHA512229b8e7a5b1bcef6227dc9158b873730ce31e4e719861d1b63874c4f974a08e322e9622d70cd4e04a776a3001a356681edd093770762d18f84f77908b6a9b391
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
596KB
-
Filesize
2.1MB
-
Filesize
2.1MB