Overview

overview

10

Static

static

3

bbf0c8b10e...18.exe

windows7-x64

10

bbf0c8b10e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbf0c8b10e3f739f2bd1cc3abbe6b073_JaffaCakes118.exe

  • Size

    106KB

  • MD5

    bbf0c8b10e3f739f2bd1cc3abbe6b073

  • SHA1

    19cb15692e8a674421821f58f6bed4160744ed73

  • SHA256

    339daf7546bbaae7cf03222ab127d726bca8f2435ed4465a7f381b0ec417c82e

  • SHA512

    d11e088d2a0e46fb75a78ffb1e8639ad4eb97234f253ad0b6c96eb302e396b554111aeb720e434d19ee0d2dc10768fca7a26c48d6b1e834b26594675fd691e1e

  • SSDEEP

    3072:P5a0pGtk+Rd2p2CXiOzgl2IwLFMnoggfRuv3:xa0EtoiKgl2IwLKndgJuv3

Score
10/10
metasploitbackdoordiscoverytrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbf0c8b10e3f739f2bd1cc3abbe6b073_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bbf0c8b10e3f739f2bd1cc3abbe6b073_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\kPDTGuEflbHeYkyT.vbs"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\kPDTGuEflbHeYkyT.exe
        "C:\Windows\kPDTGuEflbHeYkyT.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\kPDTGuEflbHeYkyT.exe
    Filesize

    11KB

    MD5

    6de166b671939345fc1e3f96e3b2dbc4

    SHA1

    d1f32d8fd39835fc4f65891e4e5faf44e7b92e9e

    SHA256

    205cf76ec45fc035ff37bb2cf700f5c138127f6af687b6cfa852e03dff66e166

    SHA512

    6152e2713f38e75475c82ecb88a2983d5e955ac016748156624dd86f49cb6f088160c73fe847495f2dc42e8994215a39eb527c0dbf3b66b0aa8a6bdf1e61ce27

    Download Submit

  • C:\Windows\kPDTGuEflbHeYkyT.vbs
    Filesize

    24KB

    MD5

    ed414573e4bb2a396de025e67fef551d

    SHA1

    0b2acdd0a8abbc60cc0fdc4dc6f89a78f99c56db

    SHA256

    75b1e86915e837df6b839e4d68a6d0cef0fda58403751b987aaf847819088cb1

    SHA512

    73dedb5b2e2a221a845ec6e55bfbbdd72dbe189642295ac87f868364c971995fee0a37dd5a88e3074a50b8b7bffb6f1aeea1a15d0dc430840c60e71070b13804

    Download Submit

  • memory/1208-14-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1208-15-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1208-25-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2360-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2360-10-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download