Overview

overview

10

Static

static

10

f3a255cd5e...18.exe

windows7-x64

10

f3a255cd5e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe

  • Size

    107KB

  • MD5

    f3a255cd5e198a6a1518c8cab2c0ac2f

  • SHA1

    700434728083617c758d4c893959e2e63562b353

  • SHA256

    5ce3f9c4752da334a00af6aa22550da57e77adab646b3774c6d9eeabe2f2ccd5

  • SHA512

    0b33d534858bd56f375323f42bb6046d9082a1dbf437f665ebc8a38c22643309c6d40d484f8532c36ab7a82d4b7f162e0bf6a3274ed47b67a083b1b6870cf2ed

  • SSDEEP

    3072:cgZoEWJnMecMTMD8+ZMzyBygGUxCPfgLy6W:d6JnRTf+LBygb1Ly6

Score
10/10
metasploitbackdoorevasionpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"
        2⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\fwadd.bat" "
          3⤵
            PID:2316
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe" "System Services Monitor" ENABLE
              4⤵
              • Modifies Windows Firewall
              PID:1060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\fwadd.bat
        Filesize

        173B

        MD5

        08f29a4cbcc5a1cdcfbfe4835d8b09cf

        SHA1

        d45d861790c8aabada626c8882df8c2bb1326deb

        SHA256

        d159043a90a1907e54cc41f22f06302233bec031a381b2aa61ceb2a705763fa6

        SHA512

        db3bd3ace6bb8b2f66ed9188d9618e7e3476f73bc06f81351a2cb78c7b6cc20778173a078306e0cf23e879262369191d59808038bd980ad769f4f1d73b8eb29c

        Download Submit
      • memory/1196-9-0x0000000003E00000-0x0000000003E01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1196-10-0x0000000003E00000-0x0000000003E01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2060-12-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download