metasploit | 30ec7dae6924bfd6fec1fd6ea65a03a367126e6c4cf5a657c07e7b493e19d2d6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe
Size

570KB
MD5

657d23a710e0d2c2cf05915a188c0799
SHA1

9b2c7dcc914bbf007e1b8a60631929bbc3672d8d
SHA256

30ec7dae6924bfd6fec1fd6ea65a03a367126e6c4cf5a657c07e7b493e19d2d6
SHA512

71d09b62f13a883b5dbf6c5ed898e38536e478842c14609f1201e273133add3ed733fd15b49a34541453aa597c9ee7d44bf7eebe627529b7f1ece5aa1fb9a8a0
SSDEEP

12288:KzahJViTIBtTR60Sbifnmeb6A+Q5j/HITGq4g/D0EwNzchOKc3T:Kzd0VDSGPzIQ5j/HITG4r0T5chOKO

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbem\wmiclisv.exe	657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\wmiclisv.exe	657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1744	657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\657d23a710e0d2c2cf05915a188c0799_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1744-1-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1744-2-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1744-5-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1744-7-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download