Overview

overview

10

Static

static

3

d9aa5632bd...18.exe

windows7-x64

10

d9aa5632bd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe

  • Size

    673KB

  • MD5

    d9aa5632bd7daeda4d9eaa9c4423edf1

  • SHA1

    6a60fe010e04551c27cd2aef53f1bbea8bdc4685

  • SHA256

    ce640c918e47daa06332ced69c05b632b37bc728761b0d479022b3b65194646b

  • SHA512

    91f8b4b64a3a60ffcb0ed81c7cdb6563748be836cb025edf8976dfbcab15246bd263fa07c28104c8ed80d8434696aa8bb6131546911a3c1a888bd09861c3b8e8

  • SSDEEP

    12288:NYY1zds7OOtjYCxKb99VWT4NMLa4MTVVG4BRFhaiRvtqNtYMUQIZuzwpQAb8Pt:eqzdsjdYlbk4qLxMTVVGQRFEiRFqv0Ab

Score
10/10
metasploitbackdoordiscoveryevasiontrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies security service 2 TTPs 18 IoCs
    evasion
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 28 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Users\Admin\AppData\Local\Temp\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\bot.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\wr-1-1285.exe
        "C:\Users\Admin\AppData\Local\Temp\wr-1-1285.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2780
      • C:\Users\Admin\AppData\Local\Temp\BoaT.exe
        "C:\Users\Admin\AppData\Local\Temp\BoaT.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:2340
        • C:\Windows\SysWOW64\system.exe
          C:\Windows\system32\system.exe 540 "C:\Users\Admin\AppData\Local\Temp\BoaT.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\SysWOW64\system.exe
            C:\Windows\system32\system.exe 524 "C:\Windows\SysWOW64\system.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:2772
            • C:\Windows\SysWOW64\system.exe
              C:\Windows\system32\system.exe 536 "C:\Windows\SysWOW64\system.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:584
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2580
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:2976
              • C:\Windows\SysWOW64\system.exe
                C:\Windows\system32\system.exe 544 "C:\Windows\SysWOW64\system.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1864
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2196
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:2120
                • C:\Windows\SysWOW64\system.exe
                  C:\Windows\system32\system.exe 548 "C:\Windows\SysWOW64\system.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  PID:2688
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1976
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:1684
                  • C:\Windows\SysWOW64\system.exe
                    C:\Windows\system32\system.exe 552 "C:\Windows\SysWOW64\system.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:1420
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1092
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:820
                    • C:\Windows\SysWOW64\system.exe
                      C:\Windows\system32\system.exe 556 "C:\Windows\SysWOW64\system.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:1992
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3036
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:2676
                      • C:\Windows\SysWOW64\system.exe
                        C:\Windows\system32\system.exe 560 "C:\Windows\SysWOW64\system.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:2288
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1380
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:1628
                        • C:\Windows\SysWOW64\system.exe
                          C:\Windows\system32\system.exe 564 "C:\Windows\SysWOW64\system.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          PID:2168
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c c:\a.bat
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3060
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              14⤵
                              • Modifies security service
                              • System Location Discovery: System Language Discovery
                              • Runs .reg file with regedit
                              PID:2612
    • C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe
      "C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Local\Temp\is-DFCTF.tmp\is-75FRQ.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-DFCTF.tmp\is-75FRQ.tmp" /SL4 $30154 "C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe" 52497 52224
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    701B

    MD5

    e427a32326a6a806e7b7b4fdbbe0ed4c

    SHA1

    b10626953332aeb7c524f2a29f47ca8b0bee38b1

    SHA256

    b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

    SHA512

    6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    5e073629d751540b3512a229a7c56baf

    SHA1

    8d384f06bf3fe00d178514990ae39fc54d4e3941

    SHA256

    2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

    SHA512

    84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    431B

    MD5

    9fa547ff360b09f7e093593af0b5a13b

    SHA1

    9debc99bb7450f59a7b09f16c0393e5c7a955ba4

    SHA256

    7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

    SHA512

    30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    a920eceddece6cf7f3487fd8e919af34

    SHA1

    a6dee2d31d4cbd1b18f5d3bc971521411a699889

    SHA256

    ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6

    SHA512

    a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    925B

    MD5

    0d1e5715cf04d212bcd7c9dea5f7ab72

    SHA1

    a8add44bf542e4d22260a13de6a35704fb7f3bfb

    SHA256

    5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473

    SHA512

    89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bot.exe
    Filesize

    347KB

    MD5

    1575ea206dc9db18863f1a0560b045a5

    SHA1

    41cef1bf498a000d064441d89429d087bb4b2aa4

    SHA256

    651da0337c2dd9d56711f4f76b922d338df889fb0612d2160b5ace16369b0b57

    SHA512

    cc6d03688edfc49852e74ade7e58ccc0a6a3f8b004ad31861deaade78f98e44f0af5f523a1e64ee4378e5f4d592de6b109b2e2714ccee30710f71559248ead6c

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Users\Admin\AppData\Local\Temp\BoaT.exe
    Filesize

    339KB

    MD5

    76b26527e2f56f4a59e59493d0e3ef84

    SHA1

    90272c83a9c39bf321620cadf86414dd7305298a

    SHA256

    a78b255bb7d3f67419907a440b330f964aad0702e9ab20f7c011566777381a97

    SHA512

    5b5be0c8752c8f9826b1a7c3cd082e1470885f91ee7be738b0c06e3e642d4ba99c2918c423c599cad87ddcdb262e09080dc672f4365c4253cca8fbd86bca4a2e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe
    Filesize

    298KB

    MD5

    fbd455f1ccd102ac012f94b4879416a0

    SHA1

    cb0ca01b5c91cab02b08705aea9b6ed890d1c571

    SHA256

    f702e7302cebeb47f1516b2dd989b9c7a3daccc2de25c66c08cf39a09421b072

    SHA512

    08d862a5276c6893a0d39a8bb39e542fdec443c4b706696dd2149106ec0b87df8205de08da137fa5c05fc44a5b39d4e5841245a2a2cb594083d0dbb1d0c2aed1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-DFCTF.tmp\is-75FRQ.tmp
    Filesize

    656KB

    MD5

    4fa180886ff7c0fd86a65f760ede6318

    SHA1

    2c89c271c71531362e84ddab5d3028f0756a9281

    SHA256

    1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

    SHA512

    a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-RU194.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wr-1-1285.exe
    Filesize

    9KB

    MD5

    66061f51c9db08a88a239ce666eb4ae1

    SHA1

    55db97bf05ca3fd2c5f020cacebe3ad6e0ad0961

    SHA256

    8c768d20e683d4394a250c8097272bba44983531e2c587e33afe7baae31cf546

    SHA512

    94510ed8ef7395efa97e1c9b1bde072a6efe420ff2729c2b46d88961f5b7b4698f9b7a5a36387638a0be89d80ae5cbe7b954dd14535982efc8113bdbd6ee8fdd

    Download Submit

  • memory/688-195-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/688-315-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/688-445-0x0000000000400000-0x00000000004B3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/2680-28-0x0000000000270000-0x0000000000281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2680-27-0x0000000000270000-0x0000000000281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2680-23-0x0000000000270000-0x0000000000281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2680-18-0x0000000000270000-0x0000000000281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2780-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2780-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2780-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2964-58-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2964-194-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download