Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
1fca046507f600012747e06aa56f6107_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1fca046507f600012747e06aa56f6107_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1fca046507f600012747e06aa56f6107_JaffaCakes118.exe
-
Size
70KB
-
MD5
1fca046507f600012747e06aa56f6107
-
SHA1
fa2f8c5aba192bb872dc7a46676fc71e47fe9b8c
-
SHA256
e1d5093241a6a7fb2e7492e31f4935fd7b62246660a4ae634940c5ea5f71d049
-
SHA512
d4c57dca82bbdb1d78cb5aefcb00c8a624426d6dc5d3c62d9c20053168ec86635a1b237da4ebdf9d3df1c89f5bc8b180faa8600aca8eaf8a2fbf093fe0bbdcc6
-
SSDEEP
1536:tq+wO8I7VY1dZzwD2CDjyH7iG1Q9Ubay75gSK:to+7VY5q28OH7i3Uf+t
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\WindowsUpdate.exe" 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
WindowsUpdate.exeWindowsUpdate.exepid process 2924 WindowsUpdate.exe 3496 WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\WindowsUpdate.exe" 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exeWindowsUpdate.exedescription pid process target process PID 2796 set thread context of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2924 set thread context of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe -
Drops file in Windows directory 3 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exeWindowsUpdate.exedescription ioc process File created C:\Windows\WindowsUpdate.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe File opened for modification C:\Windows\WindowsUpdate.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe File created C:\Windows\log32.txt WindowsUpdate.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exepid process 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
1fca046507f600012747e06aa56f6107_JaffaCakes118.exe1fca046507f600012747e06aa56f6107_JaffaCakes118.exeWindowsUpdate.exedescription pid process target process PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2796 wrote to memory of 2908 2796 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe PID 2908 wrote to memory of 2924 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe WindowsUpdate.exe PID 2908 wrote to memory of 2924 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe WindowsUpdate.exe PID 2908 wrote to memory of 2924 2908 1fca046507f600012747e06aa56f6107_JaffaCakes118.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe PID 2924 wrote to memory of 3496 2924 WindowsUpdate.exe WindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fca046507f600012747e06aa56f6107_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fca046507f600012747e06aa56f6107_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1fca046507f600012747e06aa56f6107_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fca046507f600012747e06aa56f6107_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\WindowsUpdate.exe"C:\Windows\WindowsUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\WindowsUpdate.exe"C:\Windows\WindowsUpdate.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WindowsUpdate.exeFilesize
70KB
MD51fca046507f600012747e06aa56f6107
SHA1fa2f8c5aba192bb872dc7a46676fc71e47fe9b8c
SHA256e1d5093241a6a7fb2e7492e31f4935fd7b62246660a4ae634940c5ea5f71d049
SHA512d4c57dca82bbdb1d78cb5aefcb00c8a624426d6dc5d3c62d9c20053168ec86635a1b237da4ebdf9d3df1c89f5bc8b180faa8600aca8eaf8a2fbf093fe0bbdcc6
-
memory/2796-8-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2796-0-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2908-18-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-9-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-6-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-1-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-10-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2908-2-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2924-16-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2924-28-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3496-29-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-30-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-32-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-33-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-35-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-37-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-39-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-41-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3496-43-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB