Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-fqxcmsvbll
Target 0541f52181897f5716033fee5b2eaf34_JaffaCakes118
SHA256 ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38

Threat Level: Known bad

The file 0541f52181897f5716033fee5b2eaf34_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

Metasploit family

MetaSploit

Deletes itself

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies data under HKEY_USERS

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 05:05

Signatures

Metasploit family

metasploit

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 05:05

Reported

2024-06-23 05:07

Platform

win7-20240220-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system\ting.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\ting.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system\ting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\ting.exe C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system\ting.exe C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system\ting.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system\ting.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system\ting.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system\ting.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\system\ting.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system\ting.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"

C:\Windows\system\ting.exe

"C:\Windows\system\ting.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 slet.f4tal.com udp

Files

C:\Windows\system\ting.exe

MD5 0541f52181897f5716033fee5b2eaf34
SHA1 b9e420ddb43e5e43cb92e9e299311988ff4dbc97
SHA256 ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38
SHA512 0fc8a095c4e42e5d7769a7401d620270d13dca82980bec3eafc4e9dd49abcbb5597f74c9158f46b59a5c0c63718bc847d09f6133a63de8267554c99e731f81d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 05:05

Reported

2024-06-23 05:07

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system\ting.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\ting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\ting.exe C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system\ting.exe C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"

C:\Windows\system\ting.exe

"C:\Windows\system\ting.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp
US 8.8.8.8:53 slet.f4tal.com udp

Files

C:\Windows\System\ting.exe

MD5 0541f52181897f5716033fee5b2eaf34
SHA1 b9e420ddb43e5e43cb92e9e299311988ff4dbc97
SHA256 ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38
SHA512 0fc8a095c4e42e5d7769a7401d620270d13dca82980bec3eafc4e9dd49abcbb5597f74c9158f46b59a5c0c63718bc847d09f6133a63de8267554c99e731f81d9