Analysis Overview
SHA256
ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38
Threat Level: Known bad
The file 0541f52181897f5716033fee5b2eaf34_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Metasploit family
MetaSploit
Deletes itself
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 05:05
Signatures
Metasploit family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 05:05
Reported
2024-06-23 05:07
Platform
win7-20240220-en
Max time kernel
144s
Max time network
143s
Command Line
Signatures
MetaSploit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\ting.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\ting.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system\ting.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\ting.exe | C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\ting.exe | C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system\ting.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system\ting.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system\ting.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system\ting.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\system\ting.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system\ting.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"
C:\Windows\system\ting.exe
"C:\Windows\system\ting.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
Files
C:\Windows\system\ting.exe
| MD5 | 0541f52181897f5716033fee5b2eaf34 |
| SHA1 | b9e420ddb43e5e43cb92e9e299311988ff4dbc97 |
| SHA256 | ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38 |
| SHA512 | 0fc8a095c4e42e5d7769a7401d620270d13dca82980bec3eafc4e9dd49abcbb5597f74c9158f46b59a5c0c63718bc847d09f6133a63de8267554c99e731f81d9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 05:05
Reported
2024-06-23 05:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
MetaSploit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\ting.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\ting.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\ting.exe | C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\ting.exe | C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0541f52181897f5716033fee5b2eaf34_JaffaCakes118.exe"
C:\Windows\system\ting.exe
"C:\Windows\system\ting.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
| US | 8.8.8.8:53 | slet.f4tal.com | udp |
Files
C:\Windows\System\ting.exe
| MD5 | 0541f52181897f5716033fee5b2eaf34 |
| SHA1 | b9e420ddb43e5e43cb92e9e299311988ff4dbc97 |
| SHA256 | ad53990eca9fddf949020ae7a53e2549dc35a57a449a828eac33c0d563e16c38 |
| SHA512 | 0fc8a095c4e42e5d7769a7401d620270d13dca82980bec3eafc4e9dd49abcbb5597f74c9158f46b59a5c0c63718bc847d09f6133a63de8267554c99e731f81d9 |