Overview

overview

10

Static

static

10

f3a255cd5e...18.exe

windows7-x64

10

f3a255cd5e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    18s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe

  • Size

    107KB

  • MD5

    f3a255cd5e198a6a1518c8cab2c0ac2f

  • SHA1

    700434728083617c758d4c893959e2e63562b353

  • SHA256

    5ce3f9c4752da334a00af6aa22550da57e77adab646b3774c6d9eeabe2f2ccd5

  • SHA512

    0b33d534858bd56f375323f42bb6046d9082a1dbf437f665ebc8a38c22643309c6d40d484f8532c36ab7a82d4b7f162e0bf6a3274ed47b67a083b1b6870cf2ed

  • SSDEEP

    3072:cgZoEWJnMecMTMD8+ZMzyBygGUxCPfgLy6W:d6JnRTf+LBygb1Ly6

Score
10/10
metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\fwadd.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f3a255cd5e198a6a1518c8cab2c0ac2f_JaffaCakes118.exe" "System Services Monitor" ENABLE
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2480

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\fwadd.bat
      Filesize

      173B

      MD5

      08f29a4cbcc5a1cdcfbfe4835d8b09cf

      SHA1

      d45d861790c8aabada626c8882df8c2bb1326deb

      SHA256

      d159043a90a1907e54cc41f22f06302233bec031a381b2aa61ceb2a705763fa6

      SHA512

      db3bd3ace6bb8b2f66ed9188d9618e7e3476f73bc06f81351a2cb78c7b6cc20778173a078306e0cf23e879262369191d59808038bd980ad769f4f1d73b8eb29c

      Download Submit

    • memory/1576-0-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1576-6-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download