Analysis
-
max time kernel
149s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe
-
Size
181KB
-
MD5
1874c9726275e7c0267a06321c3df630
-
SHA1
eb5115d6190d863726ff14443c2af5d2510be30f
-
SHA256
1acd18c1ef588ec974897a15acb1f6ba0fd4065caaed18ba258d467bef213cde
-
SHA512
74a4f500b8850c9a9fddd66fce68ea604552043f3bb680621c422810d342e48e3a4396b3bd35fe0d67411777da8719c7dcb55470b4ca80f33186914b569ddfb0
-
SSDEEP
3072:dUY+Ovbqs52owfxKDRmfixvdt1UPooskOX7tb/fXtJQZy:tviHpunTouLRvQY
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
wmpsk86.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpsk86.exe = "C:\\Windows\\SysWOW64\\wmpsk86.exe:*:Enabled:Windows Service Monitor" wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpsk86.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpsk86.exe = "C:\\Windows\\SysWOW64\\wmpsk86.exe:*:Enabled:Windows Service Monitor" wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpsk86.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpsk86.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
wmpsk86.exepid process 2084 wmpsk86.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpsk86.exewmpsk86.exepid process 1716 wmpsk86.exe 2084 wmpsk86.exe -
Processes:
resource yara_rule behavioral2/memory/2452-0-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2452-2-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2452-3-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2452-4-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2084-43-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/2452-44-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2084-46-0x0000000000400000-0x000000000044C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wmpsk86.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service Monitor = "C:\\Windows\\SysWOW64\\wmpsk86.exe" wmpsk86.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpsk86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpsk86.exe -
Drops file in System32 directory 4 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exedescription ioc process File created C:\Windows\SysWOW64\wmpsk86.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpsk86.exe File opened for modification C:\Windows\SysWOW64\ 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpsk86.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exedescription pid process target process PID 4272 set thread context of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 1716 set thread context of 2084 1716 wmpsk86.exe wmpsk86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exepid process 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 2084 wmpsk86.exe 2084 wmpsk86.exe 2084 wmpsk86.exe 2084 wmpsk86.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exepid process 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1716 wmpsk86.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe1874c9726275e7c0267a06321c3df630_JaffaCakes118.exewmpsk86.exewmpsk86.exedescription pid process target process PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 4272 wrote to memory of 2452 4272 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe PID 2452 wrote to memory of 1716 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe wmpsk86.exe PID 2452 wrote to memory of 1716 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe wmpsk86.exe PID 2452 wrote to memory of 1716 2452 1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 1716 wrote to memory of 2084 1716 wmpsk86.exe wmpsk86.exe PID 2084 wrote to memory of 3436 2084 wmpsk86.exe Explorer.EXE PID 2084 wrote to memory of 3436 2084 wmpsk86.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1874c9726275e7c0267a06321c3df630_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpsk86.exe"C:\Windows\SysWOW64\wmpsk86.exe" C:\Users\Admin\AppData\Local\Temp\1874C9~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpsk86.exe"C:\Windows\SysWOW64\wmpsk86.exe" C:\Users\Admin\AppData\Local\Temp\1874C9~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpsk86.exeFilesize
181KB
MD51874c9726275e7c0267a06321c3df630
SHA1eb5115d6190d863726ff14443c2af5d2510be30f
SHA2561acd18c1ef588ec974897a15acb1f6ba0fd4065caaed18ba258d467bef213cde
SHA51274a4f500b8850c9a9fddd66fce68ea604552043f3bb680621c422810d342e48e3a4396b3bd35fe0d67411777da8719c7dcb55470b4ca80f33186914b569ddfb0
-
memory/2084-43-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2084-46-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2452-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2452-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2452-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2452-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2452-44-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB