Malware Analysis Report

2024-09-23 04:23

Sample ID 240620-npxk1svfph
Target 059faaa78250a1704462450038601963_JaffaCakes118
SHA256 d85e421051cd12e8ce94fca237a6a5e7ee9e8720c5cecb28b968e764ec99a1dc
Tags
metasploit backdoor persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d85e421051cd12e8ce94fca237a6a5e7ee9e8720c5cecb28b968e764ec99a1dc

Threat Level: Known bad

The file 059faaa78250a1704462450038601963_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor persistence trojan

MetaSploit

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:34

Reported

2024-06-20 11:37

Platform

win7-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhhost.exe" C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhhost.exe" C:\Users\Admin\AppData\Local\Temp\svhhost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\svhhost.exe

C:\Users\Admin\AppData\Local\Temp\svhhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\059FAA~1.EXE" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp
US 8.8.8.8:53 noobs.ath.cx udp

Files

\Users\Admin\AppData\Local\Temp\svhhost.exe

MD5 059faaa78250a1704462450038601963
SHA1 7f008b4668abcff4387106afb402cc3b677b41c5
SHA256 d85e421051cd12e8ce94fca237a6a5e7ee9e8720c5cecb28b968e764ec99a1dc
SHA512 fe9195ff707bda0de6e8b0cf042ed139b2d03e31e88902fd920c2d8e4f902e0cc59f582c9e5213ba2994ce774f408fc58277c774b3160801400681f9adf51cb9

memory/3024-3-0x0000000000401000-0x000000000040B000-memory.dmp

memory/3024-10-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-14-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-15-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-16-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-17-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-18-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-19-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-20-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-21-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-23-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-24-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-25-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-26-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-27-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-28-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-29-0x0000000000400000-0x00000000004F1000-memory.dmp

memory/2632-30-0x0000000000400000-0x00000000004F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:34

Reported

2024-06-20 11:37

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\059faaa78250a1704462450038601963_JaffaCakes118.exe"

Network

Files

N/A