Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 09:33
Static task
static1
Behavioral task
behavioral1
Sample
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe
-
Size
66KB
-
MD5
19a4457486d58ee5e4ac98291763e96a
-
SHA1
796963653d256a6abc7250d936fd436c6bd960ac
-
SHA256
ba38c34c4ae688df35e12132dbe4104387f780dd5709a83a9d46e6992669d035
-
SHA512
b29cb1cabd468b254aeb633e67118ba4bd9395676c2a63e48161775e03af624aa204175d178e08d8fd5aeaa2c02823e81792c3ab319de7d5a8faa360c7debb13
-
SSDEEP
1536:tD0SVqps4PazX4IYLInGfLgFI+G/xfpckgxdfCp09eX:Es4yPuv+27qxdc092
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\cndrive32.exe" 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
cndrive32.execndrive32.exepid process 2908 cndrive32.exe 4340 cndrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\cndrive32.exe" 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.execndrive32.exedescription pid process target process PID 3372 set thread context of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 2908 set thread context of 4340 2908 cndrive32.exe cndrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.execndrive32.exedescription ioc process File created C:\Windows\cndrive32.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe File opened for modification C:\Windows\cndrive32.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe File created C:\Windows\%windir%\logfile32.log cndrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exepid process 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe Token: SeSecurityPrivilege 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.execndrive32.exedescription pid process target process PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 3372 wrote to memory of 2500 3372 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe PID 2500 wrote to memory of 2908 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe cndrive32.exe PID 2500 wrote to memory of 2908 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe cndrive32.exe PID 2500 wrote to memory of 2908 2500 19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe PID 2908 wrote to memory of 4340 2908 cndrive32.exe cndrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19a4457486d58ee5e4ac98291763e96a_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\cndrive32.exe"C:\Windows\cndrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\cndrive32.exe"C:\Windows\cndrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\cndrive32.exeFilesize
66KB
MD519a4457486d58ee5e4ac98291763e96a
SHA1796963653d256a6abc7250d936fd436c6bd960ac
SHA256ba38c34c4ae688df35e12132dbe4104387f780dd5709a83a9d46e6992669d035
SHA512b29cb1cabd468b254aeb633e67118ba4bd9395676c2a63e48161775e03af624aa204175d178e08d8fd5aeaa2c02823e81792c3ab319de7d5a8faa360c7debb13
-
memory/2500-2-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2500-1-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2500-5-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2500-7-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2500-16-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2500-0-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2908-25-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3372-6-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4340-24-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-26-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-27-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-29-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-32-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-35-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4340-38-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB