metasploit | 80c1af762d414f6f5bc3624ab3999bb823ab837dad1c3de25285d542f6bd9ac8

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
Size

926KB
MD5

f0427edfb3d0edaa7b7018f358c9ab67
SHA1

b564f2a753359d9f95bc4cc29ce0a93c7710905c
SHA256

80c1af762d414f6f5bc3624ab3999bb823ab837dad1c3de25285d542f6bd9ac8
SHA512

30caf0bd6b7ef5a297cff6d87dc054723aed10f94bdd74313baf559216a9be5fffa6c99bc5836896630e05759ebeb3cec532bbe4db2dbc2878d6bf8b51838a22
SSDEEP

12288:E8AAh/NHUhxzzdvEwE/wzUOMlq5nj8gg/c8UY6AfV4kzQeGo19deJHRbxEcw7gEk:DghxX1IMqW1RcTcQ/mHR5w7ewqv

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	wmisys.exe

Deletes itself 1 IoCs

pid	Process
2300	wmisys.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	wmisys.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmisys.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2400	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
2300	wmisys.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wmisys.exe	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
File opened for modification	C:\Windows\system\wmisys.exe	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 21 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1864	ipconfig.exe
2304	ipconfig.exe
2420	ipconfig.exe
2764	ipconfig.exe
1564	ipconfig.exe
708	ipconfig.exe
1096	ipconfig.exe
1544	ipconfig.exe
1776	ipconfig.exe
2680	ipconfig.exe
2088	ipconfig.exe
1880	ipconfig.exe
2880	ipconfig.exe
2024	ipconfig.exe
2832	ipconfig.exe
1848	ipconfig.exe
1052	ipconfig.exe
704	ipconfig.exe
2528	ipconfig.exe
600	ipconfig.exe
1812	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmisys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wmisys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmisys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmisys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmisys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmisys.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
2300	wmisys.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	wmisys.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1880	2300	wmisys.exe	29
PID 2300 wrote to memory of 1880	2300	wmisys.exe	29
PID 2300 wrote to memory of 1880	2300	wmisys.exe	29
PID 2300 wrote to memory of 1880	2300	wmisys.exe	29
PID 2300 wrote to memory of 600	2300	wmisys.exe	31
PID 2300 wrote to memory of 600	2300	wmisys.exe	31
PID 2300 wrote to memory of 600	2300	wmisys.exe	31
PID 2300 wrote to memory of 600	2300	wmisys.exe	31
PID 2300 wrote to memory of 2764	2300	wmisys.exe	35
PID 2300 wrote to memory of 2764	2300	wmisys.exe	35
PID 2300 wrote to memory of 2764	2300	wmisys.exe	35
PID 2300 wrote to memory of 2764	2300	wmisys.exe	35
PID 2300 wrote to memory of 1812	2300	wmisys.exe	37
PID 2300 wrote to memory of 1812	2300	wmisys.exe	37
PID 2300 wrote to memory of 1812	2300	wmisys.exe	37
PID 2300 wrote to memory of 1812	2300	wmisys.exe	37
PID 2300 wrote to memory of 2024	2300	wmisys.exe	39
PID 2300 wrote to memory of 2024	2300	wmisys.exe	39
PID 2300 wrote to memory of 2024	2300	wmisys.exe	39
PID 2300 wrote to memory of 2024	2300	wmisys.exe	39
PID 2300 wrote to memory of 2832	2300	wmisys.exe	41
PID 2300 wrote to memory of 2832	2300	wmisys.exe	41
PID 2300 wrote to memory of 2832	2300	wmisys.exe	41
PID 2300 wrote to memory of 2832	2300	wmisys.exe	41
PID 2300 wrote to memory of 2880	2300	wmisys.exe	43
PID 2300 wrote to memory of 2880	2300	wmisys.exe	43
PID 2300 wrote to memory of 2880	2300	wmisys.exe	43
PID 2300 wrote to memory of 2880	2300	wmisys.exe	43
PID 2300 wrote to memory of 708	2300	wmisys.exe	45
PID 2300 wrote to memory of 708	2300	wmisys.exe	45
PID 2300 wrote to memory of 708	2300	wmisys.exe	45
PID 2300 wrote to memory of 708	2300	wmisys.exe	45
PID 2300 wrote to memory of 1848	2300	wmisys.exe	47
PID 2300 wrote to memory of 1848	2300	wmisys.exe	47
PID 2300 wrote to memory of 1848	2300	wmisys.exe	47
PID 2300 wrote to memory of 1848	2300	wmisys.exe	47
PID 2300 wrote to memory of 1096	2300	wmisys.exe	49
PID 2300 wrote to memory of 1096	2300	wmisys.exe	49
PID 2300 wrote to memory of 1096	2300	wmisys.exe	49
PID 2300 wrote to memory of 1096	2300	wmisys.exe	49
PID 2300 wrote to memory of 1564	2300	wmisys.exe	51
PID 2300 wrote to memory of 1564	2300	wmisys.exe	51
PID 2300 wrote to memory of 1564	2300	wmisys.exe	51
PID 2300 wrote to memory of 1564	2300	wmisys.exe	51
PID 2300 wrote to memory of 1544	2300	wmisys.exe	53
PID 2300 wrote to memory of 1544	2300	wmisys.exe	53
PID 2300 wrote to memory of 1544	2300	wmisys.exe	53
PID 2300 wrote to memory of 1544	2300	wmisys.exe	53
PID 2300 wrote to memory of 1052	2300	wmisys.exe	55
PID 2300 wrote to memory of 1052	2300	wmisys.exe	55
PID 2300 wrote to memory of 1052	2300	wmisys.exe	55
PID 2300 wrote to memory of 1052	2300	wmisys.exe	55
PID 2300 wrote to memory of 1776	2300	wmisys.exe	57
PID 2300 wrote to memory of 1776	2300	wmisys.exe	57
PID 2300 wrote to memory of 1776	2300	wmisys.exe	57
PID 2300 wrote to memory of 1776	2300	wmisys.exe	57
PID 2300 wrote to memory of 2680	2300	wmisys.exe	59
PID 2300 wrote to memory of 2680	2300	wmisys.exe	59
PID 2300 wrote to memory of 2680	2300	wmisys.exe	59
PID 2300 wrote to memory of 2680	2300	wmisys.exe	59
PID 2300 wrote to memory of 704	2300	wmisys.exe	61
PID 2300 wrote to memory of 704	2300	wmisys.exe	61
PID 2300 wrote to memory of 704	2300	wmisys.exe	61
PID 2300 wrote to memory of 704	2300	wmisys.exe	61

C:\Users\Admin\AppData\Local\Temp\f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0427edfb3d0edaa7b7018f358c9ab67_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\system\wmisys.exe
"C:\Windows\system\wmisys.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1880
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:600
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2764
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1812
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2024
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2832
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2880
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:708
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1848
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1096
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1564
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1544
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1052
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1776
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2680
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:704
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2088
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1864
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2304
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2420
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\wmisys.exe

Filesize
926KB

MD5
f0427edfb3d0edaa7b7018f358c9ab67

SHA1
b564f2a753359d9f95bc4cc29ce0a93c7710905c

SHA256
80c1af762d414f6f5bc3624ab3999bb823ab837dad1c3de25285d542f6bd9ac8

SHA512
30caf0bd6b7ef5a297cff6d87dc054723aed10f94bdd74313baf559216a9be5fffa6c99bc5836896630e05759ebeb3cec532bbe4db2dbc2878d6bf8b51838a22

Download Submit
memory/2300-21-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-10-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-39-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-38-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-22-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-37-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-9-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-23-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-11-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-24-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-15-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-17-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-18-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-19-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-20-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-36-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-35-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-34-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-13-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-25-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-26-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-27-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-28-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-29-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-30-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-31-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-32-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2300-33-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2400-2-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2400-1-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2400-0-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2400-8-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2400-6-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2400-5-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download