metasploit | 5170180a716eaf47159bf537707410dfb75dc5e78fbc79e6697f393e2d7a208c

Analysis

max time kernel
102s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Size

816KB
MD5

e725fdbb26a61f9f037406969f2618de
SHA1

8c07c84296c35fd93ba0499856f12ee45128cf18
SHA256

5170180a716eaf47159bf537707410dfb75dc5e78fbc79e6697f393e2d7a208c
SHA512

0972faba8e0a230382ac3ac0fc832e658dece7b2f1774238e2e7525eb86fd4032fc7805844bca427fd6237c8b2502980cc58522aa236d91f05a9d5b15db9117a
SSDEEP

3072:hWe51vVRpJMFkstvxxrHA7ZFx+UMFQowJKfpThp+38uEEDUOIg:9st7rHA7xbMeLKDpKwpg

Score

10^/10

metasploit backdoor discovery macro trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://104.248.41.209:80/ZXq9

http://104.248.41.209:80/Oz1b

Attributes

headers User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	620	5048	rundll32.exe	81

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	620	rundll32.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral2/files/0x0008000000023422-26.dat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5048	WINWORD.EXE
5048	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE
5048	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 5048	4728	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	81
PID 4728 wrote to memory of 5048	4728	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	81
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88
PID 5048 wrote to memory of 620	5048	WINWORD.EXE	88

C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\fundraiser_protected.docm" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    3⤵
    - Process spawned unexpected child process
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD9D03.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
85B

MD5
d3d4e96e0dfa38bcdb4e1e49ea7a9702

SHA1
58d8123fba63691effd12116354b12044c568b1c

SHA256
9d6a226852c0e28286d898363da730f9d4075fdcfc92a441a461a597916b73d2

SHA512
215823a3c0971c12b8e54126945d861c66c2e27ace4cc0f4bf5d04ebdb33f4eb7aa5827f94dabea1d5b13a018a7682dc12eae9da08b8dbe28ae95d105efb9bfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
02898a5df819403c72028285d8224731

SHA1
49c57a3f6a32927b49acda5df4a0e0704480e4e6

SHA256
1ffefb04638452e3fa13c079fe7bc9a7252f7699f453e76c30496497898450d2

SHA512
8b710027f428eb0c00804cc0de22e2ff5938b2a64f16dcc558acc43076d94ec6980ecb66d35d7f431839c68cac058358ddcae4174b6932e745a289b7e801c671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
728B

MD5
209f74af1529d01bc36d3973b62736e0

SHA1
aed4fb616cd3079b1426ac85868f362756584f33

SHA256
d1a61a13050809a3dbcc81f9eb4544e67774155af86d87306a837144737fda58

SHA512
1cd4114a5aede0e5451b48a257e849285a8987b6831e9132503d02d6caa99530026375127248371aa66e66bbdc5e19d18878b88f6326da67190baa4be5de073b

Download Submit
C:\Users\Admin\Documents\fundraiser_protected.docm

Filesize
791KB

MD5
154dd13d7480c3586911fe3295f1c169

SHA1
15266197d1ce2d261b60ce986e45ce62fccf6833

SHA256
efbe0e787cd9676ed0500cb736038db5bf2d78fcf63d53f3fa7414447ce5fe40

SHA512
07cdddf00a09302ea1e17c315d3af62dd93da7e8f70c892d71aecbd7cfb3ecb84882810e3ca8104c46b2e57d92ee42352b232bf2ff9bf4ee29cadfc2427d7f43

Download Submit
memory/620-69-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4728-0-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4728-586-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4728-88-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5048-24-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-10-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-16-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-21-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-20-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-22-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-19-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-15-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

Filesize
64KB

Download
memory/5048-23-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

Filesize
64KB

Download
memory/5048-17-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-14-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-13-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-12-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-11-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-87-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-18-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-89-0x00007FFAC590D000-0x00007FFAC590E000-memory.dmp

Filesize
4KB

Download
memory/5048-90-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-91-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-95-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/5048-9-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-8-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-7-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-5-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-6-0x00007FFAC590D000-0x00007FFAC590E000-memory.dmp

Filesize
4KB

Download
memory/5048-616-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-615-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-618-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-617-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/5048-619-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads