Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
28/03/2025, 11:34
General
-
Target
JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe
-
Size
189KB
-
MD5
8aa0896372c84465ec2c153ae0e52cea
-
SHA1
02e86601cd1dc584ee59cd7f45607ea3cc4d79f4
-
SHA256
2f64c0bb42e364108eb4a8f7134f5dd59aa64862fe8b1fed62aad9b2757fe4a3
-
SHA512
706a25651a10a16833a2ecf96f88442b9920ccd160b140bfccd716fd86547a17824aa34ac220ee331977dd110c488a4e84580f322066a541e88dbe45b02ccadc
-
SSDEEP
3072:VX1T/7/i+aCYjYT9IbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7bm026qes:rTj/i+aCOG9GwvP6bQ7yMP+DE827y0x6
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 5 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 6 IoCs
-
Modifies registry class 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe"1⤵
- Looks for VMWare Tools registry key
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\AGPdivX.exe"C:\Windows\AGPdivX.exe"1⤵
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD58aa0896372c84465ec2c153ae0e52cea
SHA102e86601cd1dc584ee59cd7f45607ea3cc4d79f4
SHA2562f64c0bb42e364108eb4a8f7134f5dd59aa64862fe8b1fed62aad9b2757fe4a3
SHA512706a25651a10a16833a2ecf96f88442b9920ccd160b140bfccd716fd86547a17824aa34ac220ee331977dd110c488a4e84580f322066a541e88dbe45b02ccadc
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
192KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
44KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB