Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 19:43
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe
-
Size
524KB
-
MD5
9590c5e8f3a01376450f87515c58920a
-
SHA1
8d92746414c01491494169b8bf7fee68b24597f5
-
SHA256
a7eb3d6b18cec33e06fe9d6425282446b6987d8601e5f6df113bfa0ddec05e38
-
SHA512
ccee37521fc7b40f8951c438bdb47353973449f58cc5527af96950193e1a493a6fcd747ed9e8b95f8414240683057e7b44bb1caeec9373ac3c71bc831d436630
-
SSDEEP
12288:y5VJADlYdve+Dn8UC4p6jCtd9QaiUXF2zno4MPHG7WQfE1IJL0sO:EVyDyM+DnD6kPQPUX8znfMPMesO
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\sysdrv32.sys wmibus.exe -
Deletes itself 1 IoCs
pid Process 2756 wmibus.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 wmibus.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wmibus.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 936 JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe 2756 wmibus.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system\wmibus.exe JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe File opened for modification C:\Windows\system\wmibus.exe JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmibus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 21 IoCs
Uses commandline utility to view network configuration.
pid Process 3008 ipconfig.exe 3024 ipconfig.exe 1624 ipconfig.exe 2700 ipconfig.exe 1152 ipconfig.exe 2812 ipconfig.exe 2436 ipconfig.exe 2140 ipconfig.exe 1760 ipconfig.exe 1844 ipconfig.exe 2688 ipconfig.exe 1228 ipconfig.exe 2160 ipconfig.exe 2336 ipconfig.exe 1388 ipconfig.exe 540 ipconfig.exe 1708 ipconfig.exe 2096 ipconfig.exe 2676 ipconfig.exe 1588 ipconfig.exe 3016 ipconfig.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wmibus.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wmibus.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wmibus.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wmibus.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wmibus.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wmibus.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 936 JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe 2756 wmibus.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 wmibus.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2688 2756 wmibus.exe 32 PID 2756 wrote to memory of 2688 2756 wmibus.exe 32 PID 2756 wrote to memory of 2688 2756 wmibus.exe 32 PID 2756 wrote to memory of 2688 2756 wmibus.exe 32 PID 2756 wrote to memory of 2676 2756 wmibus.exe 34 PID 2756 wrote to memory of 2676 2756 wmibus.exe 34 PID 2756 wrote to memory of 2676 2756 wmibus.exe 34 PID 2756 wrote to memory of 2676 2756 wmibus.exe 34 PID 2756 wrote to memory of 2812 2756 wmibus.exe 36 PID 2756 wrote to memory of 2812 2756 wmibus.exe 36 PID 2756 wrote to memory of 2812 2756 wmibus.exe 36 PID 2756 wrote to memory of 2812 2756 wmibus.exe 36 PID 2756 wrote to memory of 1588 2756 wmibus.exe 38 PID 2756 wrote to memory of 1588 2756 wmibus.exe 38 PID 2756 wrote to memory of 1588 2756 wmibus.exe 38 PID 2756 wrote to memory of 1588 2756 wmibus.exe 38 PID 2756 wrote to memory of 1228 2756 wmibus.exe 40 PID 2756 wrote to memory of 1228 2756 wmibus.exe 40 PID 2756 wrote to memory of 1228 2756 wmibus.exe 40 PID 2756 wrote to memory of 1228 2756 wmibus.exe 40 PID 2756 wrote to memory of 3016 2756 wmibus.exe 42 PID 2756 wrote to memory of 3016 2756 wmibus.exe 42 PID 2756 wrote to memory of 3016 2756 wmibus.exe 42 PID 2756 wrote to memory of 3016 2756 wmibus.exe 42 PID 2756 wrote to memory of 3008 2756 wmibus.exe 44 PID 2756 wrote to memory of 3008 2756 wmibus.exe 44 PID 2756 wrote to memory of 3008 2756 wmibus.exe 44 PID 2756 wrote to memory of 3008 2756 wmibus.exe 44 PID 2756 wrote to memory of 2436 2756 wmibus.exe 46 PID 2756 wrote to memory of 2436 2756 wmibus.exe 46 PID 2756 wrote to memory of 2436 2756 wmibus.exe 46 PID 2756 wrote to memory of 2436 2756 wmibus.exe 46 PID 2756 wrote to memory of 3024 2756 wmibus.exe 48 PID 2756 wrote to memory of 3024 2756 wmibus.exe 48 PID 2756 wrote to memory of 3024 2756 wmibus.exe 48 PID 2756 wrote to memory of 3024 2756 wmibus.exe 48 PID 2756 wrote to memory of 2160 2756 wmibus.exe 50 PID 2756 wrote to memory of 2160 2756 wmibus.exe 50 PID 2756 wrote to memory of 2160 2756 wmibus.exe 50 PID 2756 wrote to memory of 2160 2756 wmibus.exe 50 PID 2756 wrote to memory of 2336 2756 wmibus.exe 52 PID 2756 wrote to memory of 2336 2756 wmibus.exe 52 PID 2756 wrote to memory of 2336 2756 wmibus.exe 52 PID 2756 wrote to memory of 2336 2756 wmibus.exe 52 PID 2756 wrote to memory of 2140 2756 wmibus.exe 55 PID 2756 wrote to memory of 2140 2756 wmibus.exe 55 PID 2756 wrote to memory of 2140 2756 wmibus.exe 55 PID 2756 wrote to memory of 2140 2756 wmibus.exe 55 PID 2756 wrote to memory of 1760 2756 wmibus.exe 57 PID 2756 wrote to memory of 1760 2756 wmibus.exe 57 PID 2756 wrote to memory of 1760 2756 wmibus.exe 57 PID 2756 wrote to memory of 1760 2756 wmibus.exe 57 PID 2756 wrote to memory of 1388 2756 wmibus.exe 59 PID 2756 wrote to memory of 1388 2756 wmibus.exe 59 PID 2756 wrote to memory of 1388 2756 wmibus.exe 59 PID 2756 wrote to memory of 1388 2756 wmibus.exe 59 PID 2756 wrote to memory of 540 2756 wmibus.exe 61 PID 2756 wrote to memory of 540 2756 wmibus.exe 61 PID 2756 wrote to memory of 540 2756 wmibus.exe 61 PID 2756 wrote to memory of 540 2756 wmibus.exe 61 PID 2756 wrote to memory of 1708 2756 wmibus.exe 63 PID 2756 wrote to memory of 1708 2756 wmibus.exe 63 PID 2756 wrote to memory of 1708 2756 wmibus.exe 63 PID 2756 wrote to memory of 1708 2756 wmibus.exe 63
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9590c5e8f3a01376450f87515c58920a.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:936
-
C:\Windows\system\wmibus.exe"C:\Windows\system\wmibus.exe"1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2688
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2676
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2812
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1588
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1228
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3016
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3008
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2436
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3024
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2160
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2336
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2140
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1760
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1388
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:540
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1708
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1624
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2700
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2096
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1152
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD59590c5e8f3a01376450f87515c58920a
SHA18d92746414c01491494169b8bf7fee68b24597f5
SHA256a7eb3d6b18cec33e06fe9d6425282446b6987d8601e5f6df113bfa0ddec05e38
SHA512ccee37521fc7b40f8951c438bdb47353973449f58cc5527af96950193e1a493a6fcd747ed9e8b95f8414240683057e7b44bb1caeec9373ac3c71bc831d436630