Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe
-
Size
57KB
-
MD5
cc3d29e605581e20fde808580ae82031
-
SHA1
b2ca7544873a2b13a7d8e2aa9bffaddaaf44c982
-
SHA256
fa94dceea66dfa6744e59dbe4707ad587469c79376a0389160763896bbbb8875
-
SHA512
43fea5ebb7680c0a0e18dbca8a559042cfe3aab625807142466d540c09ee38999937843d420493b17e9beaa029774721f957dd998c138ff8b41d69b9cf0c77e6
-
SSDEEP
1536:W5faTt6llw7XQRaQ7XQRaSpUPSR6hdrJBCrH:uI4lw7gRx7gR4xzrJBGH
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1104 aadrive32.exe 2704 aadrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3008 set thread context of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 1104 set thread context of 2704 1104 aadrive32.exe 34 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\aadrive32.exe cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe File opened for modification C:\Windows\aadrive32.exe cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe File created C:\Windows\%windir%\lfffile32.log aadrive32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadrive32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadrive32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3008 wrote to memory of 3012 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 31 PID 3008 wrote to memory of 3012 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 31 PID 3008 wrote to memory of 3012 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 31 PID 3008 wrote to memory of 3012 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 3008 wrote to memory of 1480 3008 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 32 PID 1480 wrote to memory of 1104 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 33 PID 1480 wrote to memory of 1104 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 33 PID 1480 wrote to memory of 1104 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 33 PID 1480 wrote to memory of 1104 1480 cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe 33 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34 PID 1104 wrote to memory of 2704 1104 aadrive32.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc3d29e605581e20fde808580ae82031_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\aadrive32.exe"C:\Windows\aadrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\aadrive32.exe"C:\Windows\aadrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5cc3d29e605581e20fde808580ae82031
SHA1b2ca7544873a2b13a7d8e2aa9bffaddaaf44c982
SHA256fa94dceea66dfa6744e59dbe4707ad587469c79376a0389160763896bbbb8875
SHA51243fea5ebb7680c0a0e18dbca8a559042cfe3aab625807142466d540c09ee38999937843d420493b17e9beaa029774721f957dd998c138ff8b41d69b9cf0c77e6