Overview

overview

10

Static

static

10

443680904e...18.exe

windows7-x64

10

443680904e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443680904e6387336410454c358d85c6_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    443680904e6387336410454c358d85c6

  • SHA1

    dd48fd763966a3905f9eb34fb68bc0a322b83ad2

  • SHA256

    f3b1eb48ef5dcb9f9dc3d915449e49e906cda9728c5a3c0de9a05e4781096c1b

  • SHA512

    fe16304fe0ff5ac071f83ad7b3783c6e79f693f3f449da104feab9ba0212a797cf7d768ae0220a8f27209281ead735447cf3a10e07c494b4db2a23afe4ab29ff

  • SSDEEP

    1536:3zV9QkOoSufUbRwMNxDbXZGXbTVre0qJGZSOqm5Mb+KR0Nc8QsJq3:jVFOoSusbRZNxRoTjy6e0Nc8QsC

Score
10/10
metasploitbackdoorevasionpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

118.223.26.15:1337

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies firewall policy service 3 TTPs 16 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 48 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\443680904e6387336410454c358d85c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\443680904e6387336410454c358d85c6_JaffaCakes118.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\payload.exe
      .\payload.exe
      2⤵
      • Executes dropped EXE
      PID:3604
    • C:\Users\Admin\AppData\Local\Temp\payload.exe
      .\payload.exe
      2⤵
      • Executes dropped EXE
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\payload.exe
    Filesize

    72KB

    MD5

    4e925c821c0298b84730b946c00eb9f3

    SHA1

    7f9ccdfe6e696f04abb69f60cce71b86e6a58c7d

    SHA256

    6a35cf1783360d7bafe76319ce2c4b9a448ee8ad4a12eca44c0af27555f4e5cd

    SHA512

    7ec32b961ff617c67fb4411510a7dfb6b0beaad46d2d268e74bb9e41777fea526cf635ae406b5557bdfc679dea3820d57b58c510a0697da3249bc49c1af33a4f

    Download Submit

  • F:\autorun.inf
    Filesize

    63B

    MD5

    10190fa85f8da43aac0669c23127341f

    SHA1

    e27b5c412b10688441554fa0d5ddba4e1b094f87

    SHA256

    9133b59b498c74cfd51687046536d267dc539320f0e87293d19a78db6f57e0c8

    SHA512

    64ae064dd4864f774cd0e7056fae979da52a7e49b9ebf24c4491cbe4055f7a7d38f584eb9133185906d3901d7a5df13f42c9135c1374ebdb683706df77ad49a7

    Download Submit

  • F:\payload_l.exe
    Filesize

    100KB

    MD5

    443680904e6387336410454c358d85c6

    SHA1

    dd48fd763966a3905f9eb34fb68bc0a322b83ad2

    SHA256

    f3b1eb48ef5dcb9f9dc3d915449e49e906cda9728c5a3c0de9a05e4781096c1b

    SHA512

    fe16304fe0ff5ac071f83ad7b3783c6e79f693f3f449da104feab9ba0212a797cf7d768ae0220a8f27209281ead735447cf3a10e07c494b4db2a23afe4ab29ff

    Download Submit

  • memory/3604-14-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download