Malware Analysis Report

2025-01-03 08:12

Sample ID 240418-smlg7ahf4x
Target f84639b1a82e588933fefaf668225dfc_JaffaCakes118
SHA256 cc355b38337412c3e3c0269dcd4c9211fd3d89893479380143a9e135be445cbb
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc355b38337412c3e3c0269dcd4c9211fd3d89893479380143a9e135be445cbb

Threat Level: Known bad

The file f84639b1a82e588933fefaf668225dfc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 15:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 15:14

Reported

2024-04-18 15:17

Platform

win7-20240215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2132 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2132 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2132 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2488 wrote to memory of 2464 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2464 wrote to memory of 620 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2464 wrote to memory of 620 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2464 wrote to memory of 620 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2464 wrote to memory of 620 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 620 wrote to memory of 2344 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 620 wrote to memory of 2344 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 620 wrote to memory of 2344 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 620 wrote to memory of 2344 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2344 wrote to memory of 2832 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2344 wrote to memory of 2832 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2344 wrote to memory of 2832 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2344 wrote to memory of 2832 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2832 wrote to memory of 2672 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2832 wrote to memory of 2672 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2832 wrote to memory of 2672 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2832 wrote to memory of 2672 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1224 wrote to memory of 1512 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1224 wrote to memory of 1512 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1224 wrote to memory of 1512 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1224 wrote to memory of 1512 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1512 wrote to memory of 560 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1512 wrote to memory of 560 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1512 wrote to memory of 560 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1512 wrote to memory of 560 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 636 "C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 692 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 688 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 704 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 708 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 684 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 700 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 712 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 720 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 716 "C:\Windows\SysWOW64\csrs.exe"

Network

N/A

Files

memory/2132-0-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2132-14-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2132-18-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

memory/2132-17-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/2132-16-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2132-15-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

memory/2132-13-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2132-12-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/2132-11-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2132-10-0x0000000003C90000-0x0000000003C91000-memory.dmp

memory/2132-9-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2132-8-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/2132-7-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2132-6-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/2132-5-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

memory/2132-1-0x0000000000400000-0x00000000005D8000-memory.dmp

\Windows\SysWOW64\csrs.exe

MD5 f84639b1a82e588933fefaf668225dfc
SHA1 e74f65e5b1a461f4cf785f2de51f2b55da19ea07
SHA256 cc355b38337412c3e3c0269dcd4c9211fd3d89893479380143a9e135be445cbb
SHA512 fa598f258f0c85bca7f1ded374798f1a47612e2ad5c7647f978f06e1a8a4ccebc9e4d9ee02807c33a9abe3d2fc51bd30fc9708a9757c466e9bf6eb9bb034fd9b

memory/2132-20-0x00000000048C0000-0x0000000004A98000-memory.dmp

memory/2488-27-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2488-28-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2488-30-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2488-31-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2488-29-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/2488-33-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/2488-32-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/2488-34-0x0000000000760000-0x0000000000761000-memory.dmp

memory/2488-35-0x0000000003D60000-0x0000000003D61000-memory.dmp

memory/2488-36-0x0000000000770000-0x0000000000771000-memory.dmp

memory/2488-38-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2488-39-0x0000000003DD0000-0x0000000003DD2000-memory.dmp

memory/2488-37-0x0000000003D40000-0x0000000003D41000-memory.dmp

memory/2488-40-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

memory/2488-41-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2488-42-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/2132-44-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2488-45-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2464-51-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2488-50-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/2488-49-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/2464-52-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2464-66-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/2464-65-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/2488-68-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2464-69-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2464-64-0x0000000003D90000-0x0000000003D92000-memory.dmp

memory/2464-63-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2464-62-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2464-61-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2464-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2464-59-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2464-58-0x0000000000660000-0x0000000000661000-memory.dmp

memory/2464-57-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/2464-56-0x0000000003D60000-0x0000000003D61000-memory.dmp

memory/2464-55-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/2464-54-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/2464-53-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

memory/2464-70-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2464-73-0x0000000003D80000-0x0000000003D81000-memory.dmp

memory/2464-75-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/620-76-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/620-80-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

memory/620-79-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/620-83-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/620-81-0x0000000003D60000-0x0000000003D61000-memory.dmp

memory/620-84-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/620-82-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/620-78-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/620-77-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/620-94-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/620-116-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2344-117-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2832-142-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2672-165-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/1224-188-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/1512-210-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/560-233-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2820-255-0x0000000000400000-0x00000000005D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 15:14

Reported

2024-04-18 15:17

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3088-0-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3088-1-0x0000000000400000-0x00000000005D8000-memory.dmp