Overview

overview

10

Static

static

3

d77e1335f1...18.exe

windows7-x64

10

d77e1335f1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d77e1335f1d149970fc98a89204cfa1a_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    d77e1335f1d149970fc98a89204cfa1a

  • SHA1

    b9707ac164724c590540068b0caed3540e079dd3

  • SHA256

    4d7c5b0b5ef553406927f43ddf3794a46983fb637dca663301d30ccd8be66746

  • SHA512

    55f70fae5b382cf6e677ed1139e4d76d3eff6fb47610099f1a434a2e970ce701089d4fe4296f470ead51ada4bec27c792aa1140da6cec94ac1dee22828a8f33a

  • SSDEEP

    768:T5scsxI71Hv2mTEb4YXVzancAloPCx+k2uIuHtod6gWtxVjkeaPnAJWAEnRmtl:T5sc375Ab4EBanICQFuIiyd6gWHpkea5

Score
10/10
metasploitbackdoordiscoveryevasiontrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d77e1335f1d149970fc98a89204cfa1a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d77e1335f1d149970fc98a89204cfa1a_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop SharedAccess
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\SysWOW64\net.exe
        net stop SharedAccess
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SharedAccess
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4428
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:464
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop "Security Center"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4392
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net start SharedAccess
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\net.exe
        net start SharedAccess
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start SharedAccess
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3208
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
    1⤵
      PID:2432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.reg
      Filesize

      640B

      MD5

      70237e6c7f12f17048117b2e1098aef9

      SHA1

      b9735214963e8e3b791bf7113bebbbbf65c4d36d

      SHA256

      6d93c70335964c039571168a9f805954a524287b1c628450a269ba14c10a096c

      SHA512

      bdfef5f2890afda7e9d786514d47cf2a25957c82d795ed7e71d614244fb67835fef03758e76ca1056751d7182ebad3442b412587ecc3d7dc1737d4743077bcee

      Download Submit

    • \??\c:\a.bat
      Filesize

      1KB

      MD5

      d807ec0161c542b23e37898db356c95b

      SHA1

      0aac2ef8e1d77868d932a10007efcbd0b69ecdfc

      SHA256

      56cdc18d3a8b4f2059f1e17e7017b10dcfe2eef840190843dc04fa737f5b6a37

      SHA512

      538082e228d8e61e09d368f674b581550791153b107abe189623666b81731b7f3470a079043d7ac96339217361d73b5fe62ae2b5b103499ddf750fb89d492cdf

      Download Submit

    • memory/4936-0-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/4936-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4936-29-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download