Overview

overview

10

Static

static

3

f7b95748be...18.exe

windows7-x64

10

f7b95748be...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    f7b95748be0dcb35fd6e9082c3e758f4

  • SHA1

    56056e7b42ce97cfff697bb8c912dab1d700c038

  • SHA256

    8223d57e113fdab4003cbdb87d78e399ed84c4b13a65c4790a36cdddc3484b48

  • SHA512

    9643c80d871208c0486635e742745399a6b9d30de33777de25e24c29da634e271c5b3bedcaf81e34888e6017afe1a40867bfee198a186a0c8b0d6329a6136f09

  • SSDEEP

    24576:pfBc0H7qvHHwvb7YccVlxUioAJje9E7+j+Y/qN5FzFRd2H/zzNt7Y6mQ6QUzGjpn:pf2G79v/xSHzBJ6WC+j2bpW+6Q4GIP

Score
10/10
metasploitbackdoordiscoveryevasionthemidatrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies security service 2 TTPs 20 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 44 IoCs
  • Themida packer 29 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exe"
      2⤵
      • Executes dropped EXE
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\MINE.exe
      "C:\Users\Admin\AppData\Local\Temp\MINE.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:2368
      • C:\Windows\SysWOW64\windows_update.exe
        C:\Windows\system32\windows_update.exe 656 "C:\Users\Admin\AppData\Local\Temp\MINE.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\windows_update.exe
          C:\Windows\system32\windows_update.exe 772 "C:\Windows\SysWOW64\windows_update.exe"
          4⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:292
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:2616
          • C:\Windows\SysWOW64\windows_update.exe
            C:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"
            5⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:2316
            • C:\Windows\SysWOW64\windows_update.exe
              C:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"
              6⤵
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1556
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1956
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1324
              • C:\Windows\SysWOW64\windows_update.exe
                C:\Windows\system32\windows_update.exe 784 "C:\Windows\SysWOW64\windows_update.exe"
                7⤵
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1676
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3004
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:748
                • C:\Windows\SysWOW64\windows_update.exe
                  C:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"
                  8⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2528
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:304
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:2952
                  • C:\Windows\SysWOW64\windows_update.exe
                    C:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"
                    9⤵
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:888
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2716
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:2512
                    • C:\Windows\SysWOW64\windows_update.exe
                      C:\Windows\system32\windows_update.exe 808 "C:\Windows\SysWOW64\windows_update.exe"
                      10⤵
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1472
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1332
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:3036
                      • C:\Windows\SysWOW64\windows_update.exe
                        C:\Windows\system32\windows_update.exe 812 "C:\Windows\SysWOW64\windows_update.exe"
                        11⤵
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2720
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:2100
                        • C:\Windows\SysWOW64\windows_update.exe
                          C:\Windows\system32\windows_update.exe 816 "C:\Windows\SysWOW64\windows_update.exe"
                          12⤵
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2484
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c c:\a.bat
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2836
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              14⤵
                              • Modifies security service
                              • System Location Discovery: System Language Discovery
                              • Runs .reg file with regedit
                              PID:1696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    478B

    MD5

    1a00c84e2e8a76c3caa6c0b89f9f0d6d

    SHA1

    2650e962d49c5800edb569ee1b989edc8868d9b9

    SHA256

    f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6

    SHA512

    a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    584f47a0068747b3295751a0d591f4ee

    SHA1

    7886a90e507c56d3a6105ecdfd9ff77939afa56f

    SHA256

    927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

    SHA512

    ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    10B

    MD5

    c756b8eac93de58d57105a6c35adb50f

    SHA1

    b18d370dabc3c5b9e82d74f19bbc101a1be009f2

    SHA256

    853448e59c9bb7599fa8a5ff03a0b608781a02d41f58576f1192e0c48cb8d635

    SHA512

    09fbfe4a17b1fb6167c6889e5a0ab41cfef9e1372796e69c2558a50a002d9c1e2b0d81d45d7f96be9d02a8025d0ae276ecc01f135e9ccb04c301adcffd67d263

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rapidshare Auto-Downloader v1.1.exe
    Filesize

    76KB

    MD5

    9107c5b32cdddbde5f90651e763c0353

    SHA1

    f20da90385e3b6d05daa2f8dcbbd571305315255

    SHA256

    01f36bdf56a2f3a2fd7ad8eb4de378492039c554569080a664ef39dfa0a4354e

    SHA512

    9d2c1e62118395c9f9490daa2fb67cb557b26bfe9dd1a7cf6fecdb0e61f7355116e005b0830cbfaec5144006bd6a63c8963c556dd50dc46ca92898d732171834

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MINE.exe
    Filesize

    1.4MB

    MD5

    9c0595fe4367e61e2e578ef6fa5e3d0f

    SHA1

    99a64947b86b69e2dda873076e18433a63338729

    SHA256

    60591d011a090da281ada86b6b9d505e7faa491ce23304b74f7e243a973d5714

    SHA512

    898712fa3192ccdfbb0346119357bada0839d58d095c18099ac839778b10eb13372618bf0ad0187b4a4526f95a6058bb5bbcd137046bbfb7ef19c60fa0417c85

    Download Submit

  • memory/888-929-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/888-916-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1472-1037-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1472-1151-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-553-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-425-0x0000000000E70000-0x0000000001244000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-426-0x0000000000E70000-0x0000000001244000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-544-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-545-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-670-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-552-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-551-0x0000000000F30000-0x0000000001304000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-669-0x0000000000F30000-0x0000000001304000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-671-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1676-792-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-290-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-168-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-172-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-171-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-289-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-291-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-292-0x0000000000FE0000-0x00000000013B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-294-0x00000000050E0000-0x00000000054B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-301-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1852-173-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2288-20-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2288-0-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2528-794-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2528-800-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2612-1266-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2612-1152-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2692-158-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-21-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-145-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-146-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2736-149-0x0000000004B20000-0x0000000004EF4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2736-148-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-161-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-160-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-154-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-157-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-159-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-147-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-167-0x00000000050E0000-0x00000000054B4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-153-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2880-170-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-435-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-299-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-417-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-300-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-419-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3020-418-0x0000000000E10000-0x00000000011E4000-memory.dmp

    Filesize

    3.8MB

    Download