Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe
-
Size
263KB
-
MD5
ca82637cd4c3c64d76d47d15af8c6f39
-
SHA1
c69bbd902ca603bf0eb3692591045019abbc94b7
-
SHA256
ea408464db74adbe3aa2dfc86a9d247a034e34d2b170b53a00ea3e052c5f6ca1
-
SHA512
10cb28005dc304562773269329a04d6ebba9dac67fb40f221aee54550df8d6ed742acb1cfb06cabb7d116d83a4f11b2865fc1cc291293f7e4897c64ac55fbbc7
-
SSDEEP
6144:UB9MqnBy2n0wcfMMRcJc7FIaQbuA1uk5v2C/2YK:UHXE2n0w+cJc2Ik5vZB
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications igfxsb86.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxsb86.exe = "C:\\Windows\\SysWOW64\\igfxsb86.exe:*:Enabled:Intel Service Driver" igfxsb86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List igfxsb86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile igfxsb86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications igfxsb86.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxsb86.exe = "C:\\Windows\\SysWOW64\\igfxsb86.exe:*:Enabled:Intel Service Driver" igfxsb86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List igfxsb86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile igfxsb86.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1236 igfxsb86.exe -
Executes dropped EXE 2 IoCs
pid Process 1492 igfxsb86.exe 1236 igfxsb86.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Service Driver = "C:\\Windows\\SysWOW64\\igfxsb86.exe" igfxsb86.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb86.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxsb86.exe ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxsb86.exe ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxsb86.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3556 set thread context of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 1492 set thread context of 1236 1492 igfxsb86.exe 86 -
resource yara_rule behavioral2/memory/3620-0-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/3620-2-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/3620-3-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/3620-4-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1236-42-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/3620-44-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1236-46-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1236-47-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxsb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxsb86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 1236 igfxsb86.exe 1236 igfxsb86.exe 1236 igfxsb86.exe 1236 igfxsb86.exe 1236 igfxsb86.exe 1236 igfxsb86.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3556 wrote to memory of 3620 3556 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 83 PID 3620 wrote to memory of 1492 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 85 PID 3620 wrote to memory of 1492 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 85 PID 3620 wrote to memory of 1492 3620 ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe 85 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1492 wrote to memory of 1236 1492 igfxsb86.exe 86 PID 1236 wrote to memory of 3436 1236 igfxsb86.exe 56 PID 1236 wrote to memory of 3436 1236 igfxsb86.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\igfxsb86.exe"C:\Windows\SysWOW64\igfxsb86.exe" C:\Users\Admin\AppData\Local\Temp\CA8263~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\igfxsb86.exe"C:\Windows\SysWOW64\igfxsb86.exe" C:\Users\Admin\AppData\Local\Temp\CA8263~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxe-0-7-0.level4-co2-as30938.suIN AResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
76 B 137 B 1 1
DNS Request
xe-0-7-0.level4-co2-as30938.su
-
140 B 144 B 2 1
DNS Request
58.55.71.13.in-addr.arpa
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ca82637cd4c3c64d76d47d15af8c6f39
SHA1c69bbd902ca603bf0eb3692591045019abbc94b7
SHA256ea408464db74adbe3aa2dfc86a9d247a034e34d2b170b53a00ea3e052c5f6ca1
SHA51210cb28005dc304562773269329a04d6ebba9dac67fb40f221aee54550df8d6ed742acb1cfb06cabb7d116d83a4f11b2865fc1cc291293f7e4897c64ac55fbbc7