Malware Analysis Report

2025-01-03 08:04

Sample ID 240419-zf8gpsfg6v
Target fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118
SHA256 032201b193518134e290da8a9e8583f19a08b6ad8f51a3e8ff709a10dd8eb359
Tags
themida metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

032201b193518134e290da8a9e8583f19a08b6ad8f51a3e8ff709a10dd8eb359

Threat Level: Known bad

The file fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

themida metasploit backdoor trojan

MetaSploit

Themida packer

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-19 20:40

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 20:40

Reported

2024-04-19 20:43

Platform

win7-20240221-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File created C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A
File opened for modification C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe C:\Windows\SysWOW64\psconfig.exe
PID 2224 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe C:\Windows\SysWOW64\psconfig.exe
PID 2224 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe C:\Windows\SysWOW64\psconfig.exe
PID 2224 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe C:\Windows\SysWOW64\psconfig.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2688 wrote to memory of 2404 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2688 wrote to memory of 2404 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2688 wrote to memory of 2404 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2688 wrote to memory of 2404 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2404 wrote to memory of 912 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2404 wrote to memory of 912 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2404 wrote to memory of 912 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2404 wrote to memory of 912 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 912 wrote to memory of 3056 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 912 wrote to memory of 3056 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 912 wrote to memory of 3056 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 912 wrote to memory of 3056 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 3056 wrote to memory of 2620 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 3056 wrote to memory of 2620 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 3056 wrote to memory of 2620 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 3056 wrote to memory of 2620 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2620 wrote to memory of 1084 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2620 wrote to memory of 1084 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2620 wrote to memory of 1084 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2620 wrote to memory of 1084 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 1084 wrote to memory of 2004 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 1084 wrote to memory of 2004 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 1084 wrote to memory of 2004 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 1084 wrote to memory of 2004 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2004 wrote to memory of 856 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2004 wrote to memory of 856 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2004 wrote to memory of 856 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 2004 wrote to memory of 856 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 856 wrote to memory of 2132 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 856 wrote to memory of 2132 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 856 wrote to memory of 2132 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe
PID 856 wrote to memory of 2132 N/A C:\Windows\SysWOW64\psconfig.exe C:\Windows\SysWOW64\psconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 652 "C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 708 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 712 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 716 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 720 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 724 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 728 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 736 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 732 "C:\Windows\SysWOW64\psconfig.exe"

C:\Windows\SysWOW64\psconfig.exe

C:\Windows\system32\psconfig.exe 756 "C:\Windows\SysWOW64\psconfig.exe"

Network

N/A

Files

memory/2224-0-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2224-1-0x0000000001F80000-0x0000000002061000-memory.dmp

memory/2224-2-0x00000000044A0000-0x00000000044A2000-memory.dmp

memory/2224-13-0x00000000044C0000-0x00000000044C1000-memory.dmp

memory/2224-12-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/2224-11-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/2224-10-0x0000000002070000-0x0000000002071000-memory.dmp

memory/2224-9-0x0000000004450000-0x0000000004451000-memory.dmp

memory/2224-8-0x0000000004280000-0x0000000004281000-memory.dmp

memory/2224-15-0x0000000002090000-0x0000000002091000-memory.dmp

\Windows\SysWOW64\psconfig.exe

MD5 fb203d24beb6e6501aa7e3433e9ca60e
SHA1 96c7caeda68cc87e74e668408112d0a85b49a5eb
SHA256 032201b193518134e290da8a9e8583f19a08b6ad8f51a3e8ff709a10dd8eb359
SHA512 6d131dafe0099df2cb4902e745a77ca7e882b0de89ec97d0ef1efdca9b822ff09f2cbd40fddca79c157343eff98a36631a66dc3cec90163ea6426ba92e268b0c

memory/2224-4-0x00000000044B0000-0x00000000044B1000-memory.dmp

memory/2224-3-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2224-21-0x0000000004490000-0x0000000004491000-memory.dmp

memory/2224-23-0x0000000004480000-0x0000000004482000-memory.dmp

memory/2224-24-0x0000000004470000-0x0000000004471000-memory.dmp

memory/2224-26-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2224-25-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2632-27-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2632-28-0x00000000044A0000-0x00000000044A2000-memory.dmp

memory/2632-30-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2632-31-0x00000000044B0000-0x00000000044B1000-memory.dmp

memory/2632-32-0x0000000004280000-0x0000000004281000-memory.dmp

memory/2632-33-0x0000000004450000-0x0000000004451000-memory.dmp

memory/2632-35-0x00000000042E0000-0x00000000042E1000-memory.dmp

memory/2632-36-0x00000000044C0000-0x00000000044C1000-memory.dmp

memory/2632-34-0x0000000004250000-0x0000000004251000-memory.dmp

memory/2632-37-0x0000000004240000-0x0000000004241000-memory.dmp

memory/2632-38-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/2632-40-0x0000000004490000-0x0000000004491000-memory.dmp

memory/2632-39-0x0000000004270000-0x0000000004271000-memory.dmp

memory/2632-41-0x0000000004480000-0x0000000004482000-memory.dmp

memory/2632-42-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2632-43-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2632-51-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2688-52-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2632-50-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2224-49-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2632-48-0x0000000004260000-0x0000000004261000-memory.dmp

memory/2632-47-0x0000000004470000-0x0000000004471000-memory.dmp

memory/2688-54-0x00000000044A0000-0x00000000044A2000-memory.dmp

memory/2688-66-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2688-65-0x0000000004480000-0x0000000004482000-memory.dmp

memory/2688-64-0x0000000004270000-0x0000000004271000-memory.dmp

memory/2688-63-0x00000000044C0000-0x00000000044C1000-memory.dmp

memory/2688-62-0x00000000042C0000-0x00000000042C1000-memory.dmp

memory/2688-61-0x0000000004240000-0x0000000004241000-memory.dmp

memory/2688-60-0x0000000004420000-0x0000000004421000-memory.dmp

memory/2688-59-0x0000000004250000-0x0000000004251000-memory.dmp

memory/2688-58-0x0000000004450000-0x0000000004451000-memory.dmp

memory/2688-57-0x0000000004280000-0x0000000004281000-memory.dmp

memory/2688-56-0x00000000044B0000-0x00000000044B1000-memory.dmp

memory/2688-55-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2688-67-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2688-71-0x0000000004470000-0x0000000004471000-memory.dmp

memory/2688-73-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2404-74-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2688-72-0x0000000004260000-0x0000000004261000-memory.dmp

memory/2404-75-0x00000000044B0000-0x00000000044B2000-memory.dmp

memory/2404-76-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2404-77-0x00000000044C0000-0x00000000044C1000-memory.dmp

memory/2404-78-0x0000000004280000-0x0000000004281000-memory.dmp

memory/2404-79-0x0000000004460000-0x0000000004461000-memory.dmp

memory/2404-80-0x0000000004250000-0x0000000004251000-memory.dmp

memory/2404-81-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/2404-82-0x0000000004240000-0x0000000004241000-memory.dmp

memory/2404-83-0x00000000042C0000-0x00000000042C1000-memory.dmp

memory/2404-84-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/2404-85-0x0000000004270000-0x0000000004271000-memory.dmp

memory/2404-89-0x0000000000400000-0x000000000074A000-memory.dmp

memory/912-112-0x0000000000400000-0x000000000074A000-memory.dmp

memory/912-117-0x0000000000400000-0x000000000074A000-memory.dmp

memory/3056-134-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2620-158-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2620-167-0x0000000000400000-0x000000000074A000-memory.dmp

memory/1084-181-0x0000000000400000-0x000000000074A000-memory.dmp

memory/2004-203-0x0000000000400000-0x000000000074A000-memory.dmp

memory/856-227-0x0000000000400000-0x000000000074A000-memory.dmp

memory/856-232-0x0000000000400000-0x000000000074A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 20:40

Reported

2024-04-19 20:43

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fb203d24beb6e6501aa7e3433e9ca60e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BE 2.17.197.240:80 tcp

Files

memory/412-0-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/412-1-0x00000000024B0000-0x0000000002591000-memory.dmp