Overview

overview

10

Static

static

3

f420bad960...18.exe

windows7-x64

10

f420bad960...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe

  • Size

    477KB

  • MD5

    f420bad96029b024d42e23c5b9300e44

  • SHA1

    79ef3ab63be198ed25851febee5c3bc603dc1d7a

  • SHA256

    17b0f65a3acf878d72123a1648ce0490307ff176abf2117cb23b9ca30417a02e

  • SHA512

    f962d6aeb2bb8e0a1a00a86dd709152542c9dd95750b062da6a86eec7b743e7e8610714663753530497219b21e0f37b8a4a1de204a638a0778cbd1d1e244d370

  • SSDEEP

    12288:HIlKyhSac+JN0So1IImovQdkd2ABbl1HhjGR:olFhSnvSko47HJ6

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 24 IoCs
  • Drops file in System32 directory 48 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\SysWOW64\pnmg.exe
      C:\Windows\system32\pnmg.exe 1336 "C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\SysWOW64\utoy.exe
        C:\Windows\system32\utoy.exe 1228 "C:\Windows\SysWOW64\pnmg.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\SysWOW64\sefl.exe
          C:\Windows\system32\sefl.exe 1220 "C:\Windows\SysWOW64\utoy.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\SysWOW64\mxcu.exe
            C:\Windows\system32\mxcu.exe 1240 "C:\Windows\SysWOW64\sefl.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3364
            • C:\Windows\SysWOW64\rhbh.exe
              C:\Windows\system32\rhbh.exe 1244 "C:\Windows\SysWOW64\mxcu.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\SysWOW64\mayh.exe
                C:\Windows\system32\mayh.exe 1256 "C:\Windows\SysWOW64\rhbh.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1412
                • C:\Windows\SysWOW64\jcpu.exe
                  C:\Windows\system32\jcpu.exe 1252 "C:\Windows\SysWOW64\mayh.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1696
                  • C:\Windows\SysWOW64\ldmc.exe
                    C:\Windows\system32\ldmc.exe 1396 "C:\Windows\SysWOW64\jcpu.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2008
                    • C:\Windows\SysWOW64\jfli.exe
                      C:\Windows\system32\jfli.exe 1408 "C:\Windows\SysWOW64\ldmc.exe"
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1756
                      • C:\Windows\SysWOW64\lghq.exe
                        C:\Windows\system32\lghq.exe 1272 "C:\Windows\SysWOW64\jfli.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4556
                        • C:\Windows\SysWOW64\iiyd.exe
                          C:\Windows\system32\iiyd.exe 1432 "C:\Windows\SysWOW64\lghq.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1884
                          • C:\Windows\SysWOW64\cjvd.exe
                            C:\Windows\system32\cjvd.exe 1292 "C:\Windows\SysWOW64\iiyd.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4592
                            • C:\Windows\SysWOW64\ilur.exe
                              C:\Windows\system32\ilur.exe 1372 "C:\Windows\SysWOW64\cjvd.exe"
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:3852
                              • C:\Windows\SysWOW64\cerz.exe
                                C:\Windows\system32\cerz.exe 1448 "C:\Windows\SysWOW64\ilur.exe"
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:1164
                                • C:\Windows\SysWOW64\hoie.exe
                                  C:\Windows\system32\hoie.exe 1380 "C:\Windows\SysWOW64\cerz.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:4840
                                  • C:\Windows\SysWOW64\bhfm.exe
                                    C:\Windows\system32\bhfm.exe 1312 "C:\Windows\SysWOW64\hoie.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:3204
                                    • C:\Windows\SysWOW64\zkea.exe
                                      C:\Windows\system32\zkea.exe 1308 "C:\Windows\SysWOW64\bhfm.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:2204
                                      • C:\Windows\SysWOW64\bkba.exe
                                        C:\Windows\system32\bkba.exe 1344 "C:\Windows\SysWOW64\zkea.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of WriteProcessMemory
                                        PID:4472
                                        • C:\Windows\SysWOW64\ynsn.exe
                                          C:\Windows\system32\ynsn.exe 1348 "C:\Windows\SysWOW64\bkba.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:4540
                                          • C:\Windows\SysWOW64\snpv.exe
                                            C:\Windows\system32\snpv.exe 1356 "C:\Windows\SysWOW64\ynsn.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:1572
                                            • C:\Windows\SysWOW64\yqoj.exe
                                              C:\Windows\system32\yqoj.exe 1352 "C:\Windows\SysWOW64\snpv.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:3956
                                              • C:\Windows\SysWOW64\sqlj.exe
                                                C:\Windows\system32\sqlj.exe 1512 "C:\Windows\SysWOW64\yqoj.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:1656
                                                • C:\Windows\SysWOW64\xtcw.exe
                                                  C:\Windows\system32\xtcw.exe 1400 "C:\Windows\SysWOW64\sqlj.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4648
                                                  • C:\Windows\SysWOW64\rlyw.exe
                                                    C:\Windows\system32\rlyw.exe 1412 "C:\Windows\SysWOW64\xtcw.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\pnmg.exe
    Filesize

    477KB

    MD5

    f420bad96029b024d42e23c5b9300e44

    SHA1

    79ef3ab63be198ed25851febee5c3bc603dc1d7a

    SHA256

    17b0f65a3acf878d72123a1648ce0490307ff176abf2117cb23b9ca30417a02e

    SHA512

    f962d6aeb2bb8e0a1a00a86dd709152542c9dd95750b062da6a86eec7b743e7e8610714663753530497219b21e0f37b8a4a1de204a638a0778cbd1d1e244d370

    Download Submit

  • memory/1164-116-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1164-127-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1412-52-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1412-63-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1696-71-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1696-60-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1756-87-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1756-76-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1884-93-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1884-103-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2008-79-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2008-69-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2204-140-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2204-151-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2244-20-0x00000000027C0000-0x00000000028B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2244-31-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2244-30-0x00000000027C0000-0x00000000028B0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2244-19-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2464-44-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2464-55-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3204-133-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3204-143-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3364-47-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3364-37-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3368-22-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3368-10-0x0000000002A60000-0x0000000002B50000-memory.dmp

    Filesize

    960KB

    Download

  • memory/3368-8-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3852-119-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3852-109-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4332-27-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4332-39-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4472-149-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4472-159-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4540-166-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4540-157-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4556-95-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4556-85-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4592-111-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4592-101-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4840-135-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4840-125-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5080-9-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5080-12-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5080-1-0x0000000002970000-0x0000000002A60000-memory.dmp

    Filesize

    960KB

    Download

  • memory/5080-13-0x0000000002970000-0x0000000002A60000-memory.dmp

    Filesize

    960KB

    Download

  • memory/5080-0-0x0000000000400000-0x00000000008E4000-memory.dmp

    Filesize

    4.9MB

    Download