Overview

overview

10

Static

static

3

e841024468...18.exe

windows7-x64

10

e841024468...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe

  • Size

    110KB

  • MD5

    e8410244689e36647b27b892a55f66ef

  • SHA1

    4d5cc05d075eb9d6744956c610a3d311c9fb7dee

  • SHA256

    0a0d2843578d60cf49e4a4976f893875cf601ab95254b680a518f74278c0f2b9

  • SHA512

    668a1500829888b11c054893e8ae715254cca04a0133929690a7d986280591b31f5030783f53e8bc03ec9c0f568685d13877d6db3ed1d5fe1c887f5ac4edd4fe

  • SSDEEP

    3072:EeQl+BkEjTJ0c4+S2Ra3KS2pNyZHo5p6a:5Ql+KeTJzs2Ra3h8p6a

Score
10/10
metasploitbackdoordiscoveryevasiontrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:948
    • C:\Windows\SysWOW64\wintcp32.exe
      C:\Windows\system32\wintcp32.exe 1052 "C:\Users\Admin\AppData\Local\Temp\e8410244689e36647b27b892a55f66ef_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:3208
      • C:\Windows\SysWOW64\wintcp32.exe
        C:\Windows\system32\wintcp32.exe 1168 "C:\Windows\SysWOW64\wintcp32.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:1776
        • C:\Windows\SysWOW64\wintcp32.exe
          C:\Windows\system32\wintcp32.exe 1140 "C:\Windows\SysWOW64\wintcp32.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4728
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2376
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:1816
          • C:\Windows\SysWOW64\wintcp32.exe
            C:\Windows\system32\wintcp32.exe 1144 "C:\Windows\SysWOW64\wintcp32.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3244
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:516
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:2252
            • C:\Windows\SysWOW64\wintcp32.exe
              C:\Windows\system32\wintcp32.exe 1164 "C:\Windows\SysWOW64\wintcp32.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3836
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4860
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1848
              • C:\Windows\SysWOW64\wintcp32.exe
                C:\Windows\system32\wintcp32.exe 1148 "C:\Windows\SysWOW64\wintcp32.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5012
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3476
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:4452
                • C:\Windows\SysWOW64\wintcp32.exe
                  C:\Windows\system32\wintcp32.exe 1152 "C:\Windows\SysWOW64\wintcp32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1248
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2096
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:4576
                  • C:\Windows\SysWOW64\wintcp32.exe
                    C:\Windows\system32\wintcp32.exe 1156 "C:\Windows\SysWOW64\wintcp32.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:4844
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1984
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:3444
                    • C:\Windows\SysWOW64\wintcp32.exe
                      C:\Windows\system32\wintcp32.exe 1176 "C:\Windows\SysWOW64\wintcp32.exe"
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:4836
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3900
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:4232
                      • C:\Windows\SysWOW64\wintcp32.exe
                        C:\Windows\system32\wintcp32.exe 1160 "C:\Windows\SysWOW64\wintcp32.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:4172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2616
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:3200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    fa83299c5a0d8714939977af6bdafa92

    SHA1

    46a4abab9b803a7361ab89d0ca000a367550e23c

    SHA256

    f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

    SHA512

    85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    b79d7c7385eb2936ecd5681762227a9b

    SHA1

    c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

    SHA256

    fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

    SHA512

    7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    3637baf389a0d79b412adb2a7f1b7d09

    SHA1

    f4b011a72f59cf98a325f12b7e40ddd0548ccc16

    SHA256

    835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

    SHA512

    ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    c1e5f93e2bee9ca33872764d8889de23

    SHA1

    167f65adfc34a0e47cb7de92cc5958ee8905796a

    SHA256

    8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

    SHA512

    482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    61ec72543aaac5c7b336d2b22f919c07

    SHA1

    5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

    SHA256

    088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

    SHA512

    e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1024B

    MD5

    159bb1d34a927f58fc851798c7c09b58

    SHA1

    c3a26565004531f3a93e29eabb0f9a196b4c1ba2

    SHA256

    53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

    SHA512

    b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    82fb85e6f9058c36d57abc2350ffee7e

    SHA1

    f52708d066380d42924513f697ab4ed5492f78b8

    SHA256

    0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

    SHA512

    27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    e2d37af73d5fe4a504db3f8c0d560e3d

    SHA1

    88c6bf5b485dd9c79283ccb5d2546ffbb95e563d

    SHA256

    e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008

    SHA512

    8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    d085cde42c14e8ee2a5e8870d08aee42

    SHA1

    c8e967f1d301f97dbcf252d7e1677e590126f994

    SHA256

    a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

    SHA512

    de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    538B

    MD5

    d67d51b859c99a46a906a4c3a6ff6560

    SHA1

    b685cc703a1c86ba8ad681b545a6f3014b80d585

    SHA256

    33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a

    SHA512

    c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    784B

    MD5

    5a466127fedf6dbcd99adc917bd74581

    SHA1

    a2e60b101c8789b59360d95a64ec07d0723c4d38

    SHA256

    8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

    SHA512

    695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    584f47a0068747b3295751a0d591f4ee

    SHA1

    7886a90e507c56d3a6105ecdfd9ff77939afa56f

    SHA256

    927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

    SHA512

    ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    501effddf60a974e98b67dc8921aa7e8

    SHA1

    734dfe4b508dbc1527ec92e91821a1251aec5b2e

    SHA256

    672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

    SHA512

    28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    ad9e5e67282bb74482c05e3bf2eb188b

    SHA1

    10b02442ea4b1151a2334645c3e290a82ecfad1f

    SHA256

    7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

    SHA512

    b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

    Download Submit

  • C:\Windows\SysWOW64\wintcp32.exe
    Filesize

    110KB

    MD5

    e8410244689e36647b27b892a55f66ef

    SHA1

    4d5cc05d075eb9d6744956c610a3d311c9fb7dee

    SHA256

    0a0d2843578d60cf49e4a4976f893875cf601ab95254b680a518f74278c0f2b9

    SHA512

    668a1500829888b11c054893e8ae715254cca04a0133929690a7d986280591b31f5030783f53e8bc03ec9c0f568685d13877d6db3ed1d5fe1c887f5ac4edd4fe

    Download Submit

  • \??\c:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • memory/1248-900-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3244-564-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3388-0-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3388-227-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3836-676-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4172-1236-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4328-340-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4728-452-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4836-1124-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4844-1012-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4944-228-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/5012-788-0x0000000000400000-0x0000000000543722-memory.dmp

    Filesize

    1.3MB

    Download