metasploit | de90e3562c1dd0299f488703efeae830f6497f861105955ed1871ab7c6bc7def

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
Size

526KB
MD5

b0bb51b66a38aa80dc26e514fab25feb
SHA1

f4d27ba155a8d5aec637277d3cac39354f4b354a
SHA256

de90e3562c1dd0299f488703efeae830f6497f861105955ed1871ab7c6bc7def
SHA512

579627d92cb013046ac07315e5895945d047a1c3c298977e97224954afdd101cf441597d32d489f0f28dbf0caa26a084a8b8a5eb4c93262259b114d78ae9e6fb
SSDEEP

12288:veDDbmkeCU1QzAwK88H8e+DGV97VPtn9YPquQKVBhf9Cxa:GD/mkZ+wKDce+CPVtnO2g3f9

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	wmisys.exe

Deletes itself 1 IoCs

pid	Process
2816	wmisys.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	wmisys.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmisys.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2368	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
2816	wmisys.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wmisys.exe	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
File opened for modification	C:\Windows\system\wmisys.exe	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 21 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2208	ipconfig.exe
2044	ipconfig.exe
1844	ipconfig.exe
316	ipconfig.exe
1500	ipconfig.exe
2744	ipconfig.exe
2508	ipconfig.exe
2884	ipconfig.exe
1244	ipconfig.exe
2680	ipconfig.exe
3016	ipconfig.exe
1276	ipconfig.exe
2016	ipconfig.exe
2260	ipconfig.exe
2624	ipconfig.exe
1420	ipconfig.exe
2952	ipconfig.exe
1100	ipconfig.exe
2528	ipconfig.exe
2792	ipconfig.exe
3008	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wmisys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmisys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmisys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmisys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmisys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmisys.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
2816	wmisys.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	wmisys.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3008	2816	wmisys.exe	31
PID 2816 wrote to memory of 3008	2816	wmisys.exe	31
PID 2816 wrote to memory of 3008	2816	wmisys.exe	31
PID 2816 wrote to memory of 3008	2816	wmisys.exe	31
PID 2816 wrote to memory of 2884	2816	wmisys.exe	33
PID 2816 wrote to memory of 2884	2816	wmisys.exe	33
PID 2816 wrote to memory of 2884	2816	wmisys.exe	33
PID 2816 wrote to memory of 2884	2816	wmisys.exe	33
PID 2816 wrote to memory of 1420	2816	wmisys.exe	36
PID 2816 wrote to memory of 1420	2816	wmisys.exe	36
PID 2816 wrote to memory of 1420	2816	wmisys.exe	36
PID 2816 wrote to memory of 1420	2816	wmisys.exe	36
PID 2816 wrote to memory of 2208	2816	wmisys.exe	38
PID 2816 wrote to memory of 2208	2816	wmisys.exe	38
PID 2816 wrote to memory of 2208	2816	wmisys.exe	38
PID 2816 wrote to memory of 2208	2816	wmisys.exe	38
PID 2816 wrote to memory of 2044	2816	wmisys.exe	40
PID 2816 wrote to memory of 2044	2816	wmisys.exe	40
PID 2816 wrote to memory of 2044	2816	wmisys.exe	40
PID 2816 wrote to memory of 2044	2816	wmisys.exe	40
PID 2816 wrote to memory of 2952	2816	wmisys.exe	42
PID 2816 wrote to memory of 2952	2816	wmisys.exe	42
PID 2816 wrote to memory of 2952	2816	wmisys.exe	42
PID 2816 wrote to memory of 2952	2816	wmisys.exe	42
PID 2816 wrote to memory of 1100	2816	wmisys.exe	44
PID 2816 wrote to memory of 1100	2816	wmisys.exe	44
PID 2816 wrote to memory of 1100	2816	wmisys.exe	44
PID 2816 wrote to memory of 1100	2816	wmisys.exe	44
PID 2816 wrote to memory of 2016	2816	wmisys.exe	46
PID 2816 wrote to memory of 2016	2816	wmisys.exe	46
PID 2816 wrote to memory of 2016	2816	wmisys.exe	46
PID 2816 wrote to memory of 2016	2816	wmisys.exe	46
PID 2816 wrote to memory of 1844	2816	wmisys.exe	48
PID 2816 wrote to memory of 1844	2816	wmisys.exe	48
PID 2816 wrote to memory of 1844	2816	wmisys.exe	48
PID 2816 wrote to memory of 1844	2816	wmisys.exe	48
PID 2816 wrote to memory of 1276	2816	wmisys.exe	50
PID 2816 wrote to memory of 1276	2816	wmisys.exe	50
PID 2816 wrote to memory of 1276	2816	wmisys.exe	50
PID 2816 wrote to memory of 1276	2816	wmisys.exe	50
PID 2816 wrote to memory of 316	2816	wmisys.exe	52
PID 2816 wrote to memory of 316	2816	wmisys.exe	52
PID 2816 wrote to memory of 316	2816	wmisys.exe	52
PID 2816 wrote to memory of 316	2816	wmisys.exe	52
PID 2816 wrote to memory of 1244	2816	wmisys.exe	54
PID 2816 wrote to memory of 1244	2816	wmisys.exe	54
PID 2816 wrote to memory of 1244	2816	wmisys.exe	54
PID 2816 wrote to memory of 1244	2816	wmisys.exe	54
PID 2816 wrote to memory of 2260	2816	wmisys.exe	56
PID 2816 wrote to memory of 2260	2816	wmisys.exe	56
PID 2816 wrote to memory of 2260	2816	wmisys.exe	56
PID 2816 wrote to memory of 2260	2816	wmisys.exe	56
PID 2816 wrote to memory of 1500	2816	wmisys.exe	58
PID 2816 wrote to memory of 1500	2816	wmisys.exe	58
PID 2816 wrote to memory of 1500	2816	wmisys.exe	58
PID 2816 wrote to memory of 1500	2816	wmisys.exe	58
PID 2816 wrote to memory of 2528	2816	wmisys.exe	60
PID 2816 wrote to memory of 2528	2816	wmisys.exe	60
PID 2816 wrote to memory of 2528	2816	wmisys.exe	60
PID 2816 wrote to memory of 2528	2816	wmisys.exe	60
PID 2816 wrote to memory of 2744	2816	wmisys.exe	62
PID 2816 wrote to memory of 2744	2816	wmisys.exe	62
PID 2816 wrote to memory of 2744	2816	wmisys.exe	62
PID 2816 wrote to memory of 2744	2816	wmisys.exe	62

C:\Users\Admin\AppData\Local\Temp\b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bb51b66a38aa80dc26e514fab25feb_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system\wmisys.exe
"C:\Windows\system\wmisys.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:3008
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2884
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1420
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2208
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2044
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2952
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1100
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2016
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1844
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1276
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:316
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1244
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2260
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1500
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2528
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2744
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2508
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2792
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2624
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2680
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\wmisys.exe

Filesize
526KB

MD5
b0bb51b66a38aa80dc26e514fab25feb

SHA1
f4d27ba155a8d5aec637277d3cac39354f4b354a

SHA256
de90e3562c1dd0299f488703efeae830f6497f861105955ed1871ab7c6bc7def

SHA512
579627d92cb013046ac07315e5895945d047a1c3c298977e97224954afdd101cf441597d32d489f0f28dbf0caa26a084a8b8a5eb4c93262259b114d78ae9e6fb

Download Submit
memory/2368-18-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-1-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2368-2-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-3-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-4-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-7-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-8-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2368-0-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-21-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-27-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-14-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-16-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-13-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-19-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-20-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-10-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-22-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-23-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-24-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-25-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-26-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-12-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-28-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-29-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-30-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-31-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-32-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-33-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-34-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-35-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-36-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-37-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-38-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2816-39-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download