Malware Analysis Report

2024-09-23 04:20

Sample ID 240620-mcr94awfjr
Target 0517b0613e9bc016de8232847e25d92c_JaffaCakes118
SHA256 511c0e53d4d823a3a916eb3e7c777f1d4f9d38f0da43af7cdaeb878f5108ae65
Tags
metasploit backdoor evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

511c0e53d4d823a3a916eb3e7c777f1d4f9d38f0da43af7cdaeb878f5108ae65

Threat Level: Known bad

The file 0517b0613e9bc016de8232847e25d92c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence trojan

MetaSploit

Modifies security service

Modifies WinLogon for persistence

Windows security bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Checks BIOS information in registry

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Identifies Wine through registry keys

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:19

Reported

2024-06-20 10:22

Platform

win7-20240611-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe %PROGRAMFILES%\\SYSTMEM.EXE" C:\Program Files (x86)\SYSTMEM.EXE N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Program Files (x86)\SYSTMEM.EXE N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A

Disables Task Manager via registry modification

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\SYSTMEM.EXE N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SYSTMEM.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SYSTMEM.EXE N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine C:\Program Files (x86)\SYSTMEM.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SYSTMEM.EXE = "C:\\Program Files (x86)\\\\SYSTMEM.EXE" C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SYSTMEM.EXE C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\SYSTMEM.EXE C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\SYSTMEM.EXE C:\Program Files (x86)\SYSTMEM.EXE N/A
File created C:\Program Files (x86)\SYSTMEM.EXE C:\Program Files (x86)\SYSTMEM.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Program Files (x86)\SYSTMEM.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Program Files (x86)\SYSTMEM.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies C:\Program Files (x86)\SYSTMEM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SYSTMEM.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\SYSTMEM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe"

C:\Program Files (x86)\SYSTMEM.EXE

"C:\Program Files (x86)\\SYSTMEM.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail.fucuzzy.com udp
US 8.8.8.8:53 mail.TIKTIKZ.COM udp
US 8.8.8.8:53 www.topgameland.com udp
US 8.8.8.8:53 www.genesisstore.sk udp
US 8.8.8.8:53 mail.fucuzzy.com udp
US 8.8.8.8:53 mail.TIKTIKZ.COM udp
US 8.8.8.8:53 www.topgameland.com udp
US 8.8.8.8:53 www.genesisstore.sk udp
US 8.8.8.8:53 mail.fucuzzy.com udp
US 8.8.8.8:53 mail.TIKTIKZ.COM udp
US 8.8.8.8:53 www.topgameland.com udp
US 8.8.8.8:53 www.genesisstore.sk udp
US 8.8.8.8:53 mail.fucuzzy.com udp
US 8.8.8.8:53 mail.TIKTIKZ.COM udp
US 8.8.8.8:53 www.topgameland.com udp
US 8.8.8.8:53 www.genesisstore.sk udp
US 8.8.8.8:53 mail.fucuzzy.com udp
US 8.8.8.8:53 mail.TIKTIKZ.COM udp
US 8.8.8.8:53 www.topgameland.com udp

Files

memory/2124-0-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2124-1-0x0000000000401000-0x000000000040E000-memory.dmp

memory/2124-2-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2124-4-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2124-3-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2124-7-0x0000000000400000-0x00000000005E4000-memory.dmp

C:\Program Files (x86)\SYSTMEM.EXE

MD5 0517b0613e9bc016de8232847e25d92c
SHA1 8242dc29e7cf0dfcc003d516ea2519bb988f1331
SHA256 511c0e53d4d823a3a916eb3e7c777f1d4f9d38f0da43af7cdaeb878f5108ae65
SHA512 b7107640651dbd3c229f8f17c45c8b2cd3146748b0f956a5813240658fcae4cdfab20766f613be1e5cc3713958d124f7e8d4da6c92d58674b6868e66f343f07d

memory/2124-15-0x0000000004850000-0x0000000004A34000-memory.dmp

memory/2788-17-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2124-16-0x0000000004850000-0x0000000004A34000-memory.dmp

memory/2788-19-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-21-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-22-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-23-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-24-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-25-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-26-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-27-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-28-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-29-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-30-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-31-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-32-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-33-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-35-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-36-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-37-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-38-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-39-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-40-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-41-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-42-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/2788-43-0x0000000000400000-0x00000000005E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:19

Reported

2024-06-20 10:22

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0517b0613e9bc016de8232847e25d92c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1436-0-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1436-1-0x0000000000400000-0x00000000005E4000-memory.dmp