Malware Analysis Report

2025-01-03 08:11

Sample ID 240419-b3bt9aeb6z
Target f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118
SHA256 36f73e1b174faf36802edbb9cb999a566112fc61aada6a393788593048b7a7a3
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36f73e1b174faf36802edbb9cb999a566112fc61aada6a393788593048b7a7a3

Threat Level: Known bad

The file f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 01:39

Reported

2024-04-19 01:42

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe

"C:\Users\Admin\AppData\Local\Temp\Download_Manager1.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.66:4444 tcp

Files

memory/2240-3-0x0000000077440000-0x0000000077441000-memory.dmp

memory/2240-2-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2240-1-0x0000000000650000-0x00000000006C2000-memory.dmp

memory/2240-0-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2240-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2240-4-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2240-6-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2240-7-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2240-8-0x0000000000650000-0x00000000006C2000-memory.dmp

memory/2240-9-0x0000000000650000-0x00000000006C2000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\Internet Download Manager installer\6, 11, 7, 1\1435.12.09T20.36\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\Download_Manager1.exe

MD5 8306f3109ad8ffe3cdb2729182d28824
SHA1 ebc35a31509b54f0a5538b149a2c2520beb644a7
SHA256 8082a7a74ad4d1c1e18a4d5e18e095d1a5ae5d95502cbfb221965f06ef1be2a1
SHA512 a7c46a96c059b1e03d4cbdaed25ec7d7388c0feb98ec2defb06ee023a0b9888a83210e3900e36bfa2312b6f96057bb575642559a2cc2babd93c4d281862a92c4

memory/2240-11-0x00000000047E0000-0x0000000004938000-memory.dmp

memory/2240-12-0x00000000047E0000-0x0000000004938000-memory.dmp

memory/2680-14-0x0000000000370000-0x00000000003E2000-memory.dmp

memory/2680-16-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-17-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2680-18-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-15-0x0000000077440000-0x0000000077441000-memory.dmp

memory/2680-19-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-20-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2240-21-0x0000000000650000-0x00000000006C2000-memory.dmp

memory/2680-22-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-23-0x0000000000370000-0x00000000003E2000-memory.dmp

memory/2680-47-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-48-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-49-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-50-0x0000000000370000-0x00000000003E2000-memory.dmp

memory/2680-51-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-52-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-53-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-54-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-55-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-57-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-58-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-59-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-60-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-61-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2680-64-0x0000000000370000-0x00000000003E2000-memory.dmp

memory/2680-88-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2240-90-0x0000000000650000-0x00000000006C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 01:39

Reported

2024-04-19 01:42

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f938fc9db448a786e0f335b08d3e49b3_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1232 -ip 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1232-0-0x0000000000570000-0x00000000005E2000-memory.dmp

memory/1232-1-0x0000000077E62000-0x0000000077E63000-memory.dmp

memory/1232-2-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1232-3-0x0000000000570000-0x00000000005E2000-memory.dmp