Overview

overview

10

Static

static

3

edb7c7f26a...18.exe

windows7-x64

10

edb7c7f26a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edb7c7f26adec4bd34e890673d0dbfab_JaffaCakes118.exe

  • Size

    2.4MB

  • MD5

    edb7c7f26adec4bd34e890673d0dbfab

  • SHA1

    02c95afe1ce555cbd067abe9cb84c27e8a03b3ba

  • SHA256

    180f76da669e8447edca155c3054b7b709885b026fbe5d5965201ffb16500172

  • SHA512

    a28bcb5eb0a8f871bcbdb71b120a846c190035d47868bb0ad43f7be9db5b4512a5d5dce6946b64a426733d9dd8793a461643017d98b2233fb5ca317bed26a663

  • SSDEEP

    49152:fhmDLYd+MYSZPzDEVKWZ3dJcEbymfHYdnULqoykLLKZtst:pYUVYgPzDwK6JcEbyNlULjykXist

Score
10/10
metasploitbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edb7c7f26adec4bd34e890673d0dbfab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edb7c7f26adec4bd34e890673d0dbfab_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PACKED~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PACKED~2.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PACKED~2.EXE
    Filesize

    1.5MB

    MD5

    298ac98132d4cd7e4612e09f36a4ae2a

    SHA1

    80e2fb751250611c468c16cb7d8eaac01e509484

    SHA256

    f9cd6e7e90744812c5b7cc9531ed6bd59d17a17ca54d35dbc5a872e861bfcc4c

    SHA512

    3a2a62b36bbccfd6db0d0bd9d46a445addb2aa64cd9b159108ce6d12204698739667d14139204a9389db649dc5bac08db01ccc1e9acb45a16555ebad4aaf4846

    Download Submit

  • memory/496-12-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download