Overview

overview

10

Static

static

3

ccdf968440...18.exe

windows7-x64

7

ccdf968440...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccdf968440a23417b86c84ebaae31fb5_JaffaCakes118.exe

  • Size

    434KB

  • MD5

    ccdf968440a23417b86c84ebaae31fb5

  • SHA1

    d77d9600a9932cc1126a007ed1002f47d2aa3715

  • SHA256

    b9a53039be2a305e3b30e30696d4c8c441ac96dfaf1717c3de9232f8f8abfe6c

  • SHA512

    6a747cfc9eaa110d365587ae9ca4daf7dfb4c8cd4f9ae730eb575db474949aa89a84e5d3a5fd82907c4247c67bfc7d468c82ba76d84a2dd8ae3b35fb3bcf1a42

  • SSDEEP

    12288:4LFogcK7y/yfv+uo7yPHYUX848TJiP61wtBoGxNt95a3:4LCdKe/mma3d8TJiP67G195a3

Score
10/10
metasploitbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

58.136.50.131:4455

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccdf968440a23417b86c84ebaae31fb5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ccdf968440a23417b86c84ebaae31fb5_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
    Filesize

    37KB

    MD5

    5c4253e49a74d2a37e9de8158d792e60

    SHA1

    5d2555fb1cbc23a15b93a1a8a7d59bec6aee1f64

    SHA256

    29f95729e262d506a5f411563734264c89f79be8b5ec67bc004d16ac8f2620a3

    SHA512

    3e490394c4aa47d3efaf734cf23610af186e83956a13b70a09fbd5a39044b147202cb6e60e58e832afe972241e8d2062b4cbd49ab51279c30491325c6fb23420

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exe
    Filesize

    1009KB

    MD5

    12896823fb95bfb3dc9b46bcaedc9923

    SHA1

    9d2bf84874abc5b6e9a2744b7865c193c08d362f

    SHA256

    1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

    SHA512

    de5ff5c5bb0fea3f9d08dd1746a6b00501a1e3ca76cfd11adcb8b714c537e1b97abcfa3ad136eb12221b4c503183946c92a583ffb535e302d7aa12c6fe598ed9

    Download Submit

  • memory/4976-10-0x00000000004F0000-0x00000000004F1000-memory.dmp

    Filesize

    4KB

    Download