Overview

overview

10

Static

static

3

a013e042fd...18.exe

windows7-x64

10

a013e042fd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 05:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a013e042fd3b29d8cf025dcd5ddf42fe_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    a013e042fd3b29d8cf025dcd5ddf42fe

  • SHA1

    73e0ee75f2e4409e6474ea0cdab5136b36ec4815

  • SHA256

    e5968810f892fa7dece83469e4518349ba36389a17ab4ed9f005ca0553ab4240

  • SHA512

    ca02f71bdb0e59b23c232dc0d380cbb870060e4dac07a27e4a0acadb7f7cfbad2f3715df55ae403df4822c49498b666dcc3ed10d4e68a000f5c974d9720c7bd6

  • SSDEEP

    6144:PnXeA256QmuWOYDcvS2PL3SKHivnLasPasuasVsPasEas+asZaswasxasP5as2aQ:PnXeA25CuDWc5+KHivLasPasuasVsPa8

Score
10/10
metasploitbackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies firewall policy service 3 TTPs 8 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\a013e042fd3b29d8cf025dcd5ddf42fe_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a013e042fd3b29d8cf025dcd5ddf42fe_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\a013e042fd3b29d8cf025dcd5ddf42fe_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\a013e042fd3b29d8cf025dcd5ddf42fe_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Windows\SysWOW64\igfxmp64.exe
            "C:\Windows\SysWOW64\igfxmp64.exe" C:\Users\Admin\AppData\Local\Temp\A013E0~1.EXE
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\SysWOW64\igfxmp64.exe
              "C:\Windows\SysWOW64\igfxmp64.exe" C:\Users\Admin\AppData\Local\Temp\A013E0~1.EXE
              5⤵
              • Modifies firewall policy service
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Maps connected drives based on registry
              • Drops autorun.inf file
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2204

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\igfxmp64.exe
      Filesize

      268KB

      MD5

      a013e042fd3b29d8cf025dcd5ddf42fe

      SHA1

      73e0ee75f2e4409e6474ea0cdab5136b36ec4815

      SHA256

      e5968810f892fa7dece83469e4518349ba36389a17ab4ed9f005ca0553ab4240

      SHA512

      ca02f71bdb0e59b23c232dc0d380cbb870060e4dac07a27e4a0acadb7f7cfbad2f3715df55ae403df4822c49498b666dcc3ed10d4e68a000f5c974d9720c7bd6

      Download Submit

    • memory/1032-0-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1032-2-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1032-3-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1032-4-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1032-38-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2204-45-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2204-46-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2204-47-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2204-51-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2204-53-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download