Malware Analysis Report

2025-01-03 08:02

Sample ID 240421-st4x4sef2w
Target ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118
SHA256 3f9b3a74099b9f88ac806ca2bb97c3e297ed9bc315afc6d30dd30b899afcffb7
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f9b3a74099b9f88ac806ca2bb97c3e297ed9bc315afc6d30dd30b899afcffb7

Threat Level: Known bad

The file ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-21 15:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 15:25

Reported

2024-04-21 15:28

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windirs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\windirs.exe C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\windirs.exe C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

C:\Windows\SysWOW64\windirs.exe

C:\Windows\system32\windirs.exe 500 "C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

Network

N/A

Files

memory/1692-1-0x0000000000400000-0x00000000004FC704-memory.dmp

memory/1692-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Windows\SysWOW64\windirs.exe

MD5 ff96bb98be4f75d80372bdbe8614e84c
SHA1 09ed36f766d06aeaa135e51a6ab3a29a5623bef8
SHA256 3f9b3a74099b9f88ac806ca2bb97c3e297ed9bc315afc6d30dd30b899afcffb7
SHA512 57306c43df1e563d1586d72086e6d3c9cbaac11a1fdebc85b1efbceebece76c750d238b2ad41deb5a9ac638920f106ac9658cd86b2d877a7054636c9a8f9ee30

memory/1692-8-0x0000000002860000-0x000000000295D000-memory.dmp

memory/1692-15-0x0000000002860000-0x000000000295D000-memory.dmp

memory/3016-16-0x0000000000400000-0x00000000004FC704-memory.dmp

memory/1692-17-0x0000000000400000-0x00000000004FC704-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 15:25

Reported

2024-04-21 15:28

Platform

win10v2004-20240226-en

Max time kernel

113s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\windirs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\windirs.exe C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\windirs.exe C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

C:\Windows\SysWOW64\windirs.exe

C:\Windows\system32\windirs.exe 1124 "C:\Users\Admin\AppData\Local\Temp\ff96bb98be4f75d80372bdbe8614e84c_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2148-0-0x0000000000400000-0x00000000004FC704-memory.dmp

memory/2148-1-0x0000000000400000-0x00000000004FC704-memory.dmp

memory/2148-2-0x0000000000400000-0x00000000004FC704-memory.dmp

memory/2148-3-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/2148-5-0x0000000000400000-0x00000000004FC704-memory.dmp

C:\Windows\SysWOW64\windirs.exe

MD5 ff96bb98be4f75d80372bdbe8614e84c
SHA1 09ed36f766d06aeaa135e51a6ab3a29a5623bef8
SHA256 3f9b3a74099b9f88ac806ca2bb97c3e297ed9bc315afc6d30dd30b899afcffb7
SHA512 57306c43df1e563d1586d72086e6d3c9cbaac11a1fdebc85b1efbceebece76c750d238b2ad41deb5a9ac638920f106ac9658cd86b2d877a7054636c9a8f9ee30

memory/3196-12-0x0000000000400000-0x00000000004FC704-memory.dmp