Overview

overview

10

Static

static

3

f052347e93...18.exe

windows7-x64

10

f052347e93...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f052347e9314846d6edd49d64df97aeb_JaffaCakes118.exe

  • Size

    209KB

  • MD5

    f052347e9314846d6edd49d64df97aeb

  • SHA1

    bff4af3dbd5e691828d05b07e64f91cb857a6367

  • SHA256

    335a13fd4fa4710e331261898883ef03dda84b293c189fcaf291fe9fdbafc256

  • SHA512

    27780ffcd387e69daa27fd431c88555bf88ace7bfe7ba418c1850548540c2d2e33495844fa8b871a97395607a8cefa391cc2e4bd66c201e447fb5767c173361f

  • SSDEEP

    6144:hlqtXlhQ8ZK0lAswvP6bQ7yMP+DE827YYscT:hlogQKXd6b7MP+Dd2UYZT

Score
10/10
metasploitbackdoorbootkitdiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies security service 2 TTPs 20 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 33 IoCs
  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f052347e9314846d6edd49d64df97aeb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f052347e9314846d6edd49d64df97aeb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:828
    • C:\Windows\SysWOW64\WinzAPI32.exe
      C:\Windows\system32\WinzAPI32.exe 464 "C:\Users\Admin\AppData\Local\Temp\f052347e9314846d6edd49d64df97aeb_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2324
      • C:\Windows\SysWOW64\WinzAPI32.exe
        C:\Windows\system32\WinzAPI32.exe 536 "C:\Windows\SysWOW64\WinzAPI32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:2216
        • C:\Windows\SysWOW64\WinzAPI32.exe
          C:\Windows\system32\WinzAPI32.exe 540 "C:\Windows\SysWOW64\WinzAPI32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:2828
          • C:\Windows\SysWOW64\WinzAPI32.exe
            C:\Windows\system32\WinzAPI32.exe 544 "C:\Windows\SysWOW64\WinzAPI32.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2328
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:1240
            • C:\Windows\SysWOW64\WinzAPI32.exe
              C:\Windows\system32\WinzAPI32.exe 548 "C:\Windows\SysWOW64\WinzAPI32.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1600
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1716
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1700
              • C:\Windows\SysWOW64\WinzAPI32.exe
                C:\Windows\system32\WinzAPI32.exe 552 "C:\Windows\SysWOW64\WinzAPI32.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Writes to the Master Boot Record (MBR)
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:3068
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2728
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:1712
                • C:\Windows\SysWOW64\WinzAPI32.exe
                  C:\Windows\system32\WinzAPI32.exe 556 "C:\Windows\SysWOW64\WinzAPI32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Writes to the Master Boot Record (MBR)
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  PID:2620
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2436
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:1888
                  • C:\Windows\SysWOW64\WinzAPI32.exe
                    C:\Windows\system32\WinzAPI32.exe 560 "C:\Windows\SysWOW64\WinzAPI32.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    PID:1084
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2528
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:2996
                    • C:\Windows\SysWOW64\WinzAPI32.exe
                      C:\Windows\system32\WinzAPI32.exe 564 "C:\Windows\SysWOW64\WinzAPI32.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Writes to the Master Boot Record (MBR)
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      PID:3016
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1328
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:2040
                      • C:\Windows\SysWOW64\WinzAPI32.exe
                        C:\Windows\system32\WinzAPI32.exe 572 "C:\Windows\SysWOW64\WinzAPI32.exe"
                        11⤵
                        • Executes dropped EXE
                        • Writes to the Master Boot Record (MBR)
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        PID:1652
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2384
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:1548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    82fb85e6f9058c36d57abc2350ffee7e

    SHA1

    f52708d066380d42924513f697ab4ed5492f78b8

    SHA256

    0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

    SHA512

    27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Windows\SysWOW64\WinzAPI32.exe
    Filesize

    209KB

    MD5

    f052347e9314846d6edd49d64df97aeb

    SHA1

    bff4af3dbd5e691828d05b07e64f91cb857a6367

    SHA256

    335a13fd4fa4710e331261898883ef03dda84b293c189fcaf291fe9fdbafc256

    SHA512

    27780ffcd387e69daa27fd431c88555bf88ace7bfe7ba418c1850548540c2d2e33495844fa8b871a97395607a8cefa391cc2e4bd66c201e447fb5767c173361f

    Download Submit

  • memory/1048-393-0x0000000002F20000-0x000000000304F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1048-390-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1084-887-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1420-272-0x0000000003000000-0x000000000312F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1420-269-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1600-515-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1600-632-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1652-1127-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2328-511-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2520-140-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-136-0x0000000000250000-0x0000000000280000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2520-135-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2520-142-0x0000000000240000-0x0000000000245000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2520-141-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-150-0x0000000002E60000-0x0000000002F8F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2520-139-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-138-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-151-0x0000000002E60000-0x0000000002F8F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2520-145-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2520-146-0x0000000000250000-0x0000000000280000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2620-873-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2960-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-1-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2960-2-0x0000000000280000-0x00000000002B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2960-3-0x00000000001D0000-0x00000000001D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2960-144-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2960-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-134-0x0000000002E60000-0x0000000002F8F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2960-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-10-0x00000000001E0000-0x00000000001E3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2960-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-1007-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3068-752-0x0000000000400000-0x000000000052F000-memory.dmp

    Filesize

    1.2MB

    Download