Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-12-2024 08:38
General
-
Target
bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
-
Size
154KB
-
MD5
bc94aaa11cb54dcf3c211af470b7ba4c
-
SHA1
8c3dbc8108ba0d2e36339286feea7d484550e48d
-
SHA256
ef354f62f14cc9a691116807f73fab18a1ec3033c7dc415e701066b03d82e9fd
-
SHA512
6b00faca670f989345da92ddd00580c2d637ffdb35258b799bbe43fd56fc74368ab9852d649823f73fd0809068a99ab8e9fc2f8a42e01f38026bedb52795865e
-
SSDEEP
3072:UjvopcI+YF+S+18Mwd/aujCuaa+HTNZob5y4KUxuX7FYvk5MN:UjYF+W7a3uHU6y4KBX7S85G
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 33 IoCs
-
Drops file in System32 directory 34 IoCs
-
Suspicious use of SetThreadContext 16 IoCs
-
UPX packed file 47 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 17 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Users\Admin\AppData\Local\Temp\BC94AA~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Users\Admin\AppData\Local\Temp\BC94AA~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\winupd01.exe"C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD5bc94aaa11cb54dcf3c211af470b7ba4c
SHA18c3dbc8108ba0d2e36339286feea7d484550e48d
SHA256ef354f62f14cc9a691116807f73fab18a1ec3033c7dc415e701066b03d82e9fd
SHA5126b00faca670f989345da92ddd00580c2d637ffdb35258b799bbe43fd56fc74368ab9852d649823f73fd0809068a99ab8e9fc2f8a42e01f38026bedb52795865e
-
Filesize
396KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
780KB
-
Filesize
780KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
780KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
780KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB