Overview

overview

10

Static

static

3

e841024468...18.exe

windows7-x64

10

e841024468...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe

  • Size

    110KB

  • MD5

    e8410244689e36647b27b892a55f66ef

  • SHA1

    4d5cc05d075eb9d6744956c610a3d311c9fb7dee

  • SHA256

    0a0d2843578d60cf49e4a4976f893875cf601ab95254b680a518f74278c0f2b9

  • SHA512

    668a1500829888b11c054893e8ae715254cca04a0133929690a7d986280591b31f5030783f53e8bc03ec9c0f568685d13877d6db3ed1d5fe1c887f5ac4edd4fe

  • SSDEEP

    3072:EeQl+BkEjTJ0c4+S2Ra3KS2pNyZHo5p6a:5Ql+KeTJzs2Ra3h8p6a

Score
10/10
metasploitbackdoordiscoveryevasiontrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2364
    • C:\Windows\SysWOW64\wintcp32.exe
      C:\Windows\system32\wintcp32.exe 496 "C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:1636
      • C:\Windows\SysWOW64\wintcp32.exe
        C:\Windows\system32\wintcp32.exe 536 "C:\Windows\SysWOW64\wintcp32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:612
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:3056
        • C:\Windows\SysWOW64\wintcp32.exe
          C:\Windows\system32\wintcp32.exe 540 "C:\Windows\SysWOW64\wintcp32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:1152
          • C:\Windows\SysWOW64\wintcp32.exe
            C:\Windows\system32\wintcp32.exe 544 "C:\Windows\SysWOW64\wintcp32.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1104
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2396
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:572
            • C:\Windows\SysWOW64\wintcp32.exe
              C:\Windows\system32\wintcp32.exe 548 "C:\Windows\SysWOW64\wintcp32.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2968
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:2996
              • C:\Windows\SysWOW64\wintcp32.exe
                C:\Windows\system32\wintcp32.exe 552 "C:\Windows\SysWOW64\wintcp32.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                PID:1680
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:540
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:2420
                • C:\Windows\SysWOW64\wintcp32.exe
                  C:\Windows\system32\wintcp32.exe 556 "C:\Windows\SysWOW64\wintcp32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  PID:316
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:380
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:2816
                  • C:\Windows\SysWOW64\wintcp32.exe
                    C:\Windows\system32\wintcp32.exe 560 "C:\Windows\SysWOW64\wintcp32.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:2792
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2588
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:2732
                    • C:\Windows\SysWOW64\wintcp32.exe
                      C:\Windows\system32\wintcp32.exe 564 "C:\Windows\SysWOW64\wintcp32.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:2180
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:348
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:876
                      • C:\Windows\SysWOW64\wintcp32.exe
                        C:\Windows\system32\wintcp32.exe 528 "C:\Windows\SysWOW64\wintcp32.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:2964
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2248
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    908860a865f8ed2e14085e35256578dd

    SHA1

    7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

    SHA256

    d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

    SHA512

    a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    501effddf60a974e98b67dc8921aa7e8

    SHA1

    734dfe4b508dbc1527ec92e91821a1251aec5b2e

    SHA256

    672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

    SHA512

    28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    5e073629d751540b3512a229a7c56baf

    SHA1

    8d384f06bf3fe00d178514990ae39fc54d4e3941

    SHA256

    2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

    SHA512

    84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    3bd23392c6fcc866c4561388c1dc72ac

    SHA1

    c4b1462473f1d97fed434014532ea344b8fc05c1

    SHA256

    696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

    SHA512

    15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    206B

    MD5

    2d9f1ff716273d19e3f0d10a3cd8736f

    SHA1

    b4ca02834dd3f3489c5088d2157279d2be90f5ff

    SHA256

    9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

    SHA512

    1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    849B

    MD5

    558ce6da965ba1758d112b22e15aa5a2

    SHA1

    a365542609e4d1dc46be62928b08612fcabe2ede

    SHA256

    c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

    SHA512

    37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    384B

    MD5

    c93c561465db53bf9a99759de9d25f07

    SHA1

    5386934828e2c2589bfe394ac1f03ffbfba93bfa

    SHA256

    32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

    SHA512

    bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Windows\SysWOW64\wintcp32.exe
    Filesize

    110KB

    MD5

    e8410244689e36647b27b892a55f66ef

    SHA1

    4d5cc05d075eb9d6744956c610a3d311c9fb7dee

    SHA256

    0a0d2843578d60cf49e4a4976f893875cf601ab95254b680a518f74278c0f2b9

    SHA512

    668a1500829888b11c054893e8ae715254cca04a0133929690a7d986280591b31f5030783f53e8bc03ec9c0f568685d13877d6db3ed1d5fe1c887f5ac4edd4fe

    Download Submit

  • memory/316-964-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1104-487-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1104-607-0x00000000029A0000-0x0000000002AE4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1104-606-0x00000000029A0000-0x0000000002AE4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1104-603-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1680-845-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1680-729-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1708-236-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1708-125-0x00000000029B0000-0x0000000002AF4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1708-127-0x00000000029B0000-0x0000000002AF4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1708-0-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2104-244-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2104-363-0x00000000029C0000-0x0000000002B04000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2104-360-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2180-1203-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2612-724-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2612-727-0x0000000002A20000-0x0000000002B64000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-240-0x00000000029B0000-0x0000000002AF4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-238-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-242-0x00000000029B0000-0x0000000002AF4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-126-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2792-975-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2792-1084-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-484-0x00000000029C0000-0x0000000002B04000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-365-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-486-0x00000000029C0000-0x0000000002B04000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-481-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2964-1214-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2964-1323-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download