Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 19:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe
-
Size
124KB
-
MD5
94e299aa753ed181eda56d407107ca58
-
SHA1
a5123944bb04744fca30d8d14088e0ef3c85c583
-
SHA256
a8c864a074c4c1b76c46b80863da6aa49d11967042131503b9335dfb8b11063f
-
SHA512
1a23ad8a228a97722b2767603198aa267b333ab0ba4078c81dff9795c053f9d4bfbdd96a45a567ef016c70d0223968ca3bceb01fe7864644c7b869331b0e322c
-
SSDEEP
1536:mhqSYtGeGemOBKu9eL5/4weWWzmrn14z7azstv9ScRIMU/wAGrw1C5aRLW2n:deVwweWUmr1S7azw1R/UYAx1iYWu
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe -
Executes dropped EXE 4 IoCs
pid Process 2180 aadrive32.exe 4476 aadrive32.exe 2472 aadrive32.exe 3896 aadrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\%windir%\lfffile32.log aadrive32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1392 set thread context of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 4476 set thread context of 2472 4476 aadrive32.exe 102 PID 2180 set thread context of 3896 2180 aadrive32.exe 101 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\aadrive32.exe JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe File opened for modification C:\Windows\aadrive32.exe JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadrive32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadrive32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 2180 aadrive32.exe 4476 aadrive32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 1392 wrote to memory of 4268 1392 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 89 PID 4268 wrote to memory of 2180 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 92 PID 4268 wrote to memory of 2180 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 92 PID 4268 wrote to memory of 2180 4268 JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe 92 PID 3664 wrote to memory of 4476 3664 cmd.exe 93 PID 3664 wrote to memory of 4476 3664 cmd.exe 93 PID 3664 wrote to memory of 4476 3664 cmd.exe 93 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101 PID 4476 wrote to memory of 2472 4476 aadrive32.exe 102 PID 2180 wrote to memory of 3896 2180 aadrive32.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94e299aa753ed181eda56d407107ca58.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94e299aa753ed181eda56d407107ca58.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\aadrive32.exe"C:\Windows\aadrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\aadrive32.exeC:\Windows\aadrive32.exe4⤵
- Executes dropped EXE
PID:3896
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\aadrive32.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\aadrive32.exeC:\Windows\aadrive32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\aadrive32.exeC:\Windows\aadrive32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD594e299aa753ed181eda56d407107ca58
SHA1a5123944bb04744fca30d8d14088e0ef3c85c583
SHA256a8c864a074c4c1b76c46b80863da6aa49d11967042131503b9335dfb8b11063f
SHA5121a23ad8a228a97722b2767603198aa267b333ab0ba4078c81dff9795c053f9d4bfbdd96a45a567ef016c70d0223968ca3bceb01fe7864644c7b869331b0e322c