Malware Analysis Report

2024-09-23 04:20

Sample ID 240620-a6dbtazbpf
Target 0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118
SHA256 c6a7805c2de45d779844653bbbb7f77200db622c3db921d4bc9798194eb44cda
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6a7805c2de45d779844653bbbb7f77200db622c3db921d4bc9798194eb44cda

Threat Level: Known bad

The file 0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Identifies Wine through registry keys

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 00:49

Reported

2024-06-20 00:51

Platform

win7-20240611-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllcache\wintcps.exe C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dllcache\wintcps.exe C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\018502~1.EXE > NUL

Network

N/A

Files

memory/2040-0-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2040-1-0x0000000000401000-0x0000000000407000-memory.dmp

memory/2040-2-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2040-3-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2040-4-0x0000000000400000-0x00000000004E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 00:49

Reported

2024-06-20 00:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0185029ee84ef1baf3a4c4299acddd44_JaffaCakes118.exe"

Network

Files

memory/2152-0-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2152-1-0x0000000000400000-0x00000000004E7000-memory.dmp