Malware Analysis Report

2024-09-23 04:03

Sample ID 240615-lmh9hawbma
Target adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118
SHA256 2abd76236a99fa1e52fee20ea374fc2fe798ba45fec3423855f1a3628df0966b
Tags
execution metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2abd76236a99fa1e52fee20ea374fc2fe798ba45fec3423855f1a3628df0966b

Threat Level: Known bad

The file adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

execution metasploit backdoor trojan

Metasploit family

MetaSploit

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 09:38

Signatures

Metasploit family

metasploit

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 09:38

Reported

2024-06-15 09:41

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6179.tmp" "c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\CSCF2117C0233864825ACE5531FCE171FAB.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3428-0-0x00007FF9F28E3000-0x00007FF9F28E5000-memory.dmp

memory/3428-6-0x000001DCED070000-0x000001DCED092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_perpiatj.35c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3428-11-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

memory/3428-12-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.cmdline

MD5 ee533639df9c04d0bc09d590a91422ca
SHA1 8f290378d469da30c361c2b0504dd210bd3d9674
SHA256 1e857685814b162832dfdbbba6b09df00cf4937bfb1c63c807d9db7fb9ea28a1
SHA512 dcac50f3b99e1c48fe20fc6cb76717160e46625ddbbaa9a159647c35b4839ead550e2689b58e3dca1653c7200d62b593fc731e3a7c599887b92fa60f7f9b5dbb

\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.0.cs

MD5 7ab331daccdacd5ff29c8e23b747b040
SHA1 7140f35b363576f33e646222a01fcddb27cab866
SHA256 4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190
SHA512 3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395

\??\c:\Users\Admin\AppData\Local\Temp\fyzn0pdp\CSCF2117C0233864825ACE5531FCE171FAB.TMP

MD5 12b9c70960b34392f9960cc4ad7e47ca
SHA1 81bbd6e894d00e3e34d40c174c7b0336447b7d9c
SHA256 6e5013557c0a5690cc598ac764d97643e22feecd3b1104d774a2301e77385ea2
SHA512 c6b777f4930cca514b15843b1a14656fe949f0d5b95912fd4d251ecf7c00a4b920e5c841c61cd71068f85c3a34eb2a8a6db3680319d7cb9e35ce97be02e6ec10

C:\Users\Admin\AppData\Local\Temp\RES6179.tmp

MD5 c2c33f43a54a996bf4692c80337aa5d0
SHA1 81fcb4f13e8987127fa305129d3cc9e5c97b933f
SHA256 b330105e82c08d6b908162cd63d7c08cac2dd9383bb3886c4882226d651cf7a2
SHA512 66c5a6e9ffd554b16bcb225ab466448704e49c4b15cd381075d99e13eaa92ab11246d4512e21588360b62ba3ef5235e5091eb012158fff9624b5c55df05e12d3

memory/3428-25-0x000001DCECF20000-0x000001DCECF28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fyzn0pdp\fyzn0pdp.dll

MD5 fc203db7f46358e7e8ae37725da61a76
SHA1 a86a440a54a7e360c337330783913703a2bdb404
SHA256 17d7285e7943c62c2d1b5984f349ecbfbd40be3734e6e3619a1e4ce2f1e87211
SHA512 42b8362f1d9105b366381a260f4ddd8a841807efd07629c625a1c0032b233fe2055599f1b79f243b2316d55c433fc1f791820846812ed862af222a5dbbbb0dfd

memory/3428-27-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

memory/3428-28-0x000001DCED060000-0x000001DCED061000-memory.dmp

memory/3428-29-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 09:38

Reported

2024-06-15 09:41

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\adcde952c9bb55f05e409ed01c5ed2ad_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1076.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1075.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 936

Network

N/A

Files

memory/2088-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp

memory/2088-5-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2088-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2088-7-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2088-6-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2088-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2088-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2088-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2dvfr2wb.cmdline

MD5 99aeb00722a63ff8ccd6e7dc16da8f36
SHA1 f67458cdaa7cefcbf2fffe788e849795a731b359
SHA256 5165e8fe2708aaf2bdba6f74eb0e7fb71d7fc4be1e7cbdefd4a2e59244e9bac8
SHA512 bd3fd8d079aa477820d1a17e20693a24311c75e37852d3c2738d7103cc9402d16061949f3c71782b2c2e2444a4c0a489251ab325d7511ee73a1c902a862502cb

\??\c:\Users\Admin\AppData\Local\Temp\2dvfr2wb.0.cs

MD5 7ab331daccdacd5ff29c8e23b747b040
SHA1 7140f35b363576f33e646222a01fcddb27cab866
SHA256 4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190
SHA512 3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395

memory/2932-17-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC1075.tmp

MD5 3d1f44b7664653581e5f48860f88382e
SHA1 14844b721be8cc096ad3cd4412345ac6cd7f1bd1
SHA256 6fc6876b07c9e1f9a580e028ce20903131da9ba93652b066eb19f1b6cbe2004a
SHA512 f65b80738902a423d971e58fd3b9f21f84b32c1baeaf5dd0c88fd30657fb3397fcf657c6b08ce8ec56d7d148782e1688d4eaa11c9d1f0b6164ed045dfefa14cb

C:\Users\Admin\AppData\Local\Temp\RES1076.tmp

MD5 eee76c37f76b147b58a1daa4412d3afb
SHA1 dbbe9b95e8a055d346b567abd61d1617d1283cec
SHA256 c1a90d4f117ea91377d4d33881f1552dbf348883517f3de736ee86aafcb86c15
SHA512 73da6c7096995e226c1c2dee82ab7620d270589fc33c66e26d183181ecc98e3eac791799e7dec0ff6e745e80d317b052cb2eddbbbf1f2cf9ad576ae5e0e2c436

memory/2932-25-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.dll

MD5 dc64056ab7f1428a8d17885826a4d8b4
SHA1 455e1dcece3daa3ca48b1b3e47ce2d911f955bd4
SHA256 d0fd50b3b567ce58faf2bb0f52692abe7ed5646bd175cbf42bad0d7a6f3d9172
SHA512 1f5ec3b61e075254f3139ac76e452a95c88188a30156e644f113389cbf826db37a4562a802c64d565aad7050bec31eb72d9da356c9b53587fcd56c5915b61baf

memory/2088-27-0x0000000002A80000-0x0000000002A88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2dvfr2wb.pdb

MD5 4181f1ad3feab275e7e6b9328e3a8426
SHA1 1cab34402ebd43cfc8339432d6e549444c4aeeeb
SHA256 ff197054e3a86094efa5ae9619e89ea96725b10ec481c3190f578818134ecb3a
SHA512 5b2d67626a4f380b115747e73121f50c04520f3f8ad588071164f902dd7c111534bc85517b197fd65211173533e9ec83693111c66ab9c302db7fa61169e759da

memory/2088-30-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2088-31-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2088-32-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp