Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-fewlzazgrg
Target 053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118
SHA256 a0b0ead2bc00776b03b3263d3699b03fd87ea22c0e46c9433e890933b3da72d2
Tags
metasploit backdoor persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0b0ead2bc00776b03b3263d3699b03fd87ea22c0e46c9433e890933b3da72d2

Threat Level: Known bad

The file 053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor persistence trojan

MetaSploit

Adds policy Run key to start application

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 04:47

Reported

2024-06-23 04:50

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wrdrive32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wrdrive32.exe C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\wrdrive32.exe C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
File created C:\Windows\%windir%\lfffile32.log C:\Windows\wrdrive32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe"

C:\Windows\wrdrive32.exe

"C:\Windows\wrdrive32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sssssss.devhoster.com udp
US 76.223.54.146:6971 sssssss.devhoster.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 76.223.54.146:6971 sssssss.devhoster.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 76.223.54.146:6971 sssssss.devhoster.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 76.223.54.146:6971 sssssss.devhoster.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 76.223.54.146:6971 sssssss.devhoster.com tcp
US 76.223.54.146:6971 sssssss.devhoster.com tcp

Files

memory/5044-0-0x0000000000400000-0x000000000055C000-memory.dmp

memory/5044-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5044-1-0x0000000002260000-0x00000000022BD000-memory.dmp

C:\Windows\wrdrive32.exe

MD5 053c5d5012aba237b1538df57a4b6e9c
SHA1 e4131cf8386fd9af2cabb08a9455f0a4097e8871
SHA256 a0b0ead2bc00776b03b3263d3699b03fd87ea22c0e46c9433e890933b3da72d2
SHA512 0bbc64181498f489b80215b39365f56a7ccbb59eef0ce088e4d1846cc50a5e735b6986459d7a5db2fc6fb05bfa5901be8677b6674f726c0b4bb7504b64ff0ff6

memory/4836-8-0x0000000000400000-0x000000000055C000-memory.dmp

memory/5044-10-0x0000000000400000-0x000000000055C000-memory.dmp

memory/5044-11-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4836-12-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4836-14-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4836-17-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4836-20-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4836-23-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4836-25-0x0000000000400000-0x000000000055C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 04:47

Reported

2024-06-23 04:50

Platform

win7-20240508-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wrdrive32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\wrdrive32.exe" C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wrdrive32.exe C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\wrdrive32.exe C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe N/A
File created C:\Windows\%windir%\lfffile32.log C:\Windows\wrdrive32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053c5d5012aba237b1538df57a4b6e9c_JaffaCakes118.exe"

C:\Windows\wrdrive32.exe

"C:\Windows\wrdrive32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp
US 8.8.8.8:53 sssssss.devhoster.com udp

Files

memory/1208-0-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1208-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1208-1-0x00000000002F0000-0x000000000034D000-memory.dmp

C:\Windows\wrdrive32.exe

MD5 053c5d5012aba237b1538df57a4b6e9c
SHA1 e4131cf8386fd9af2cabb08a9455f0a4097e8871
SHA256 a0b0ead2bc00776b03b3263d3699b03fd87ea22c0e46c9433e890933b3da72d2
SHA512 0bbc64181498f489b80215b39365f56a7ccbb59eef0ce088e4d1846cc50a5e735b6986459d7a5db2fc6fb05bfa5901be8677b6674f726c0b4bb7504b64ff0ff6

memory/1208-9-0x0000000002F70000-0x00000000030CC000-memory.dmp

memory/2700-11-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1208-13-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2700-14-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-15-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-17-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-19-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-21-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-23-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-25-0x0000000000400000-0x000000000055C000-memory.dmp

memory/2700-27-0x0000000000400000-0x000000000055C000-memory.dmp