Overview

overview

10

Static

static

3

e6d6866e90...18.exe

windows7-x64

10

e6d6866e90...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6d6866e90902a708fc0cfea69bd028a_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    e6d6866e90902a708fc0cfea69bd028a

  • SHA1

    47c26e495eefb975f5145c4fe3899588b98c0d63

  • SHA256

    2dcab2ea2abcc183d351c27be4b0c01860ab6a4250c84f76132f348548117766

  • SHA512

    5a2b15cdc979ab16805ef4d143ec8c60416043649c2815adeb1031e62db65233b4c811c1a169138cb27c1cdf8e3e26852c54707af9766931748f481b5ec89632

  • SSDEEP

    24576:pxdC6cVrb8romUZJgWfqedOoqdIjXxQRkF1mpaq8xltMK0MuDwrefAXnYW9iyW:pDC6cb8Cdhq6jXrZxlW0reoXn

Score
10/10
metasploitbackdoordiscoveryevasionthemidatrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies security service 2 TTPs 20 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 44 IoCs
  • Themida packer 34 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6d6866e90902a708fc0cfea69bd028a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6d6866e90902a708fc0cfea69bd028a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\Winampcrk.exe
      "C:\Users\Admin\AppData\Local\Temp\Winampcrk.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\MYBOT.exe
      "C:\Users\Admin\AppData\Local\Temp\MYBOT.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:868
      • C:\Windows\SysWOW64\windows_update.exe
        C:\Windows\system32\windows_update.exe 620 "C:\Users\Admin\AppData\Local\Temp\MYBOT.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Windows\SysWOW64\windows_update.exe
          C:\Windows\system32\windows_update.exe 760 "C:\Windows\SysWOW64\windows_update.exe"
          4⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:1792
          • C:\Windows\SysWOW64\windows_update.exe
            C:\Windows\system32\windows_update.exe 768 "C:\Windows\SysWOW64\windows_update.exe"
            5⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:396
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:2152
            • C:\Windows\SysWOW64\windows_update.exe
              C:\Windows\system32\windows_update.exe 780 "C:\Windows\SysWOW64\windows_update.exe"
              6⤵
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1220
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                PID:844
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1436
              • C:\Windows\SysWOW64\windows_update.exe
                C:\Windows\system32\windows_update.exe 772 "C:\Windows\SysWOW64\windows_update.exe"
                7⤵
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2388
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2596
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:3044
                • C:\Windows\SysWOW64\windows_update.exe
                  C:\Windows\system32\windows_update.exe 784 "C:\Windows\SysWOW64\windows_update.exe"
                  8⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2564
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2784
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:2588
                  • C:\Windows\SysWOW64\windows_update.exe
                    C:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"
                    9⤵
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2484
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2912
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:3040
                    • C:\Windows\SysWOW64\windows_update.exe
                      C:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"
                      10⤵
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2908
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2020
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:820
                      • C:\Windows\SysWOW64\windows_update.exe
                        C:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"
                        11⤵
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2064
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2080
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:2800
                        • C:\Windows\SysWOW64\windows_update.exe
                          C:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"
                          12⤵
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2292
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c c:\a.bat
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2728
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              14⤵
                              • Modifies security service
                              • System Location Discovery: System Language Discovery
                              • Runs .reg file with regedit
                              PID:2980
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5e4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    784B

    MD5

    5a466127fedf6dbcd99adc917bd74581

    SHA1

    a2e60b101c8789b59360d95a64ec07d0723c4d38

    SHA256

    8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

    SHA512

    695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    82fb85e6f9058c36d57abc2350ffee7e

    SHA1

    f52708d066380d42924513f697ab4ed5492f78b8

    SHA256

    0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

    SHA512

    27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MYBOT.exe
    Filesize

    1.4MB

    MD5

    0c3c6747aa1f75ea0b35a76576004f6f

    SHA1

    a96d1617c4586932f9790cf6886dd14cf4541957

    SHA256

    84f4c834069cb14cfe11ec85442386d4c021c51a32ea42ac747420ac5e8d849f

    SHA512

    c00d303d0e83f4f5ad11805bdf66ac363b0561d7948aee16654fca93331e5757e22f653a86830732a32c49d3e8e6f4dcd3fafcd208481fc6e5cf5030239b40b9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Winampcrk.exe
    Filesize

    122KB

    MD5

    2765fd619cf31e100c3f28b84b85ba35

    SHA1

    5a6e10edc9b6112964efd2fb45dc05b0f0916269

    SHA256

    6a5027a29992d11566d23ef3ace79d18fa2e0fe1f67a619ab79c4c10f62c7af8

    SHA512

    425d8b7ec804b316c26c677e04797fcc03a19183b7025a8a9df653fb437e1327bb7fd1cb7ee26caf54f5848de2c39b1e92b4bcf51bd958b7557543fb873704dc

    Download Submit

  • memory/1136-171-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-155-0x0000000000F20000-0x00000000012CF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-158-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-159-0x0000000000F20000-0x00000000012CF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-160-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-153-0x0000000000F20000-0x00000000012CF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1136-154-0x0000000000F20000-0x00000000012CF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-547-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-670-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-426-0x0000000000CB0000-0x000000000105F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-427-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-425-0x0000000000CB0000-0x000000000105F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-544-0x0000000000CB0000-0x000000000105F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-545-0x0000000000CB0000-0x000000000105F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1220-546-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1624-22-0x00000000002F0000-0x00000000003DE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/1624-24-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-23-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1624-157-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1624-145-0x0000000005200000-0x00000000055AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2064-1154-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2064-1268-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-288-0x0000000000EE0000-0x000000000128F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-290-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-166-0x0000000000EE0000-0x000000000128F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-168-0x0000000000EE0000-0x000000000128F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-169-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-307-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-287-0x0000000000EE0000-0x000000000128F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-167-0x0000000000EE0000-0x000000000128F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2184-289-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2292-1269-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-673-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-554-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-671-0x0000000000DF0000-0x000000000119F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-553-0x0000000000DF0000-0x000000000119F000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-672-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2388-794-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-417-0x0000000000D50000-0x00000000010FF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-296-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-428-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-419-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-418-0x0000000000D50000-0x00000000010FF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-416-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-299-0x0000000000D50000-0x00000000010FF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-298-0x0000000000D50000-0x00000000010FF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2452-297-0x0000000000D50000-0x00000000010FF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2484-917-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2484-923-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2532-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2532-19-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2532-21-0x0000000002F40000-0x00000000032EF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2564-916-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2564-795-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2908-1039-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2908-1153-0x0000000000400000-0x00000000007AF000-memory.dmp

    Filesize

    3.7MB

    Download