Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 02:04

General

  • Target

    ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    ca82637cd4c3c64d76d47d15af8c6f39

  • SHA1

    c69bbd902ca603bf0eb3692591045019abbc94b7

  • SHA256

    ea408464db74adbe3aa2dfc86a9d247a034e34d2b170b53a00ea3e052c5f6ca1

  • SHA512

    10cb28005dc304562773269329a04d6ebba9dac67fb40f221aee54550df8d6ed742acb1cfb06cabb7d116d83a4f11b2865fc1cc291293f7e4897c64ac55fbbc7

  • SSDEEP

    6144:UB9MqnBy2n0wcfMMRcJc7FIaQbuA1uk5v2C/2YK:UHXE2n0w+cJc2Ik5vZB

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\ca82637cd4c3c64d76d47d15af8c6f39_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3620
          • C:\Windows\SysWOW64\igfxsb86.exe
            "C:\Windows\SysWOW64\igfxsb86.exe" C:\Users\Admin\AppData\Local\Temp\CA8263~1.EXE
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\igfxsb86.exe
              "C:\Windows\SysWOW64\igfxsb86.exe" C:\Users\Admin\AppData\Local\Temp\CA8263~1.EXE
              5⤵
              • Modifies firewall policy service
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1236

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      xe-0-7-0.level4-co2-as30938.su
      igfxsb86.exe
      Remote address:
      8.8.8.8:53
      Request
      xe-0-7-0.level4-co2-as30938.su
      IN A
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 66.128.53.179:80
      igfxsb86.exe
      260 B
      5
    • 204.11.237.50:80
      igfxsb86.exe
      260 B
      5
    • 195.137.213.67:80
      igfxsb86.exe
      260 B
      5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      xe-0-7-0.level4-co2-as30938.su
      dns
      igfxsb86.exe
      76 B
      137 B
      1
      1

      DNS Request

      xe-0-7-0.level4-co2-as30938.su

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      140 B
      144 B
      2
      1

      DNS Request

      58.55.71.13.in-addr.arpa

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\igfxsb86.exe

      Filesize

      263KB

      MD5

      ca82637cd4c3c64d76d47d15af8c6f39

      SHA1

      c69bbd902ca603bf0eb3692591045019abbc94b7

      SHA256

      ea408464db74adbe3aa2dfc86a9d247a034e34d2b170b53a00ea3e052c5f6ca1

      SHA512

      10cb28005dc304562773269329a04d6ebba9dac67fb40f221aee54550df8d6ed742acb1cfb06cabb7d116d83a4f11b2865fc1cc291293f7e4897c64ac55fbbc7

    • memory/1236-42-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/1236-46-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/1236-47-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/3620-0-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/3620-2-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/3620-3-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/3620-4-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    • memory/3620-44-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.