metasploit | e04c2cb66a5a074f17ac0211fad1ea2ff2f37ea684c6818ef7e5d40c600b3c58

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
Size

685KB
MD5

ee523f0176978f2eb9ff29bb3215c9fd
SHA1

6345856c55e24dbc6d4cfef9708582925b71d784
SHA256

e04c2cb66a5a074f17ac0211fad1ea2ff2f37ea684c6818ef7e5d40c600b3c58
SHA512

ef0a0a70cbc4e7c60c69963413f9e00d54fabd730eb5f4182d7a070fbb537094d3b6c4970ef45afab755d517d68d30389d03c3b064def9c4cb2b0f6914157ca7
SSDEEP

12288:zOBItp7ioIt4mAlgdFDb4TzBnlDxKMIQvSGCpVdXsqd1I:zOBC+8IDb4TlnSMlSzpVdXsu

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	wmibusn.exe

Deletes itself 1 IoCs

pid	Process
2900	wmibusn.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	wmibusn.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmibusn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2272	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
2900	wmibusn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wmibusn.exe	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
File opened for modification	C:\Windows\system\wmibusn.exe	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmibusn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 21 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2460	ipconfig.exe
1876	ipconfig.exe
2516	ipconfig.exe
2700	ipconfig.exe
2828	ipconfig.exe
844	ipconfig.exe
1216	ipconfig.exe
2432	ipconfig.exe
2136	ipconfig.exe
280	ipconfig.exe
2340	ipconfig.exe
2708	ipconfig.exe
2808	ipconfig.exe
2788	ipconfig.exe
1328	ipconfig.exe
1532	ipconfig.exe
3016	ipconfig.exe
2380	ipconfig.exe
2744	ipconfig.exe
2080	ipconfig.exe
1868	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmibusn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmibusn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wmibusn.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2272	ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
2900	wmibusn.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	wmibusn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2788	2900	wmibusn.exe	31
PID 2900 wrote to memory of 2788	2900	wmibusn.exe	31
PID 2900 wrote to memory of 2788	2900	wmibusn.exe	31
PID 2900 wrote to memory of 2788	2900	wmibusn.exe	31
PID 2900 wrote to memory of 2828	2900	wmibusn.exe	33
PID 2900 wrote to memory of 2828	2900	wmibusn.exe	33
PID 2900 wrote to memory of 2828	2900	wmibusn.exe	33
PID 2900 wrote to memory of 2828	2900	wmibusn.exe	33
PID 2900 wrote to memory of 1868	2900	wmibusn.exe	35
PID 2900 wrote to memory of 1868	2900	wmibusn.exe	35
PID 2900 wrote to memory of 1868	2900	wmibusn.exe	35
PID 2900 wrote to memory of 1868	2900	wmibusn.exe	35
PID 2900 wrote to memory of 2460	2900	wmibusn.exe	37
PID 2900 wrote to memory of 2460	2900	wmibusn.exe	37
PID 2900 wrote to memory of 2460	2900	wmibusn.exe	37
PID 2900 wrote to memory of 2460	2900	wmibusn.exe	37
PID 2900 wrote to memory of 1876	2900	wmibusn.exe	39
PID 2900 wrote to memory of 1876	2900	wmibusn.exe	39
PID 2900 wrote to memory of 1876	2900	wmibusn.exe	39
PID 2900 wrote to memory of 1876	2900	wmibusn.exe	39
PID 2900 wrote to memory of 2432	2900	wmibusn.exe	41
PID 2900 wrote to memory of 2432	2900	wmibusn.exe	41
PID 2900 wrote to memory of 2432	2900	wmibusn.exe	41
PID 2900 wrote to memory of 2432	2900	wmibusn.exe	41
PID 2900 wrote to memory of 2136	2900	wmibusn.exe	43
PID 2900 wrote to memory of 2136	2900	wmibusn.exe	43
PID 2900 wrote to memory of 2136	2900	wmibusn.exe	43
PID 2900 wrote to memory of 2136	2900	wmibusn.exe	43
PID 2900 wrote to memory of 1328	2900	wmibusn.exe	45
PID 2900 wrote to memory of 1328	2900	wmibusn.exe	45
PID 2900 wrote to memory of 1328	2900	wmibusn.exe	45
PID 2900 wrote to memory of 1328	2900	wmibusn.exe	45
PID 2900 wrote to memory of 280	2900	wmibusn.exe	47
PID 2900 wrote to memory of 280	2900	wmibusn.exe	47
PID 2900 wrote to memory of 280	2900	wmibusn.exe	47
PID 2900 wrote to memory of 280	2900	wmibusn.exe	47
PID 2900 wrote to memory of 1532	2900	wmibusn.exe	49
PID 2900 wrote to memory of 1532	2900	wmibusn.exe	49
PID 2900 wrote to memory of 1532	2900	wmibusn.exe	49
PID 2900 wrote to memory of 1532	2900	wmibusn.exe	49
PID 2900 wrote to memory of 2516	2900	wmibusn.exe	52
PID 2900 wrote to memory of 2516	2900	wmibusn.exe	52
PID 2900 wrote to memory of 2516	2900	wmibusn.exe	52
PID 2900 wrote to memory of 2516	2900	wmibusn.exe	52
PID 2900 wrote to memory of 3016	2900	wmibusn.exe	54
PID 2900 wrote to memory of 3016	2900	wmibusn.exe	54
PID 2900 wrote to memory of 3016	2900	wmibusn.exe	54
PID 2900 wrote to memory of 3016	2900	wmibusn.exe	54
PID 2900 wrote to memory of 2340	2900	wmibusn.exe	56
PID 2900 wrote to memory of 2340	2900	wmibusn.exe	56
PID 2900 wrote to memory of 2340	2900	wmibusn.exe	56
PID 2900 wrote to memory of 2340	2900	wmibusn.exe	56
PID 2900 wrote to memory of 1216	2900	wmibusn.exe	58
PID 2900 wrote to memory of 1216	2900	wmibusn.exe	58
PID 2900 wrote to memory of 1216	2900	wmibusn.exe	58
PID 2900 wrote to memory of 1216	2900	wmibusn.exe	58
PID 2900 wrote to memory of 2380	2900	wmibusn.exe	60
PID 2900 wrote to memory of 2380	2900	wmibusn.exe	60
PID 2900 wrote to memory of 2380	2900	wmibusn.exe	60
PID 2900 wrote to memory of 2380	2900	wmibusn.exe	60
PID 2900 wrote to memory of 2708	2900	wmibusn.exe	62
PID 2900 wrote to memory of 2708	2900	wmibusn.exe	62
PID 2900 wrote to memory of 2708	2900	wmibusn.exe	62
PID 2900 wrote to memory of 2708	2900	wmibusn.exe	62

C:\Users\Admin\AppData\Local\Temp\ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee523f0176978f2eb9ff29bb3215c9fd_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\system\wmibusn.exe
"C:\Windows\system\wmibusn.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2788
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2828
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1868
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2460
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1876
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2432
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2136
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1328
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:280
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1532
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2516
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:3016
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2340
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:1216
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2380
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2708
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2700
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2744
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2808
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:844
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\wmibusn.exe

Filesize
685KB

MD5
ee523f0176978f2eb9ff29bb3215c9fd

SHA1
6345856c55e24dbc6d4cfef9708582925b71d784

SHA256
e04c2cb66a5a074f17ac0211fad1ea2ff2f37ea684c6818ef7e5d40c600b3c58

SHA512
ef0a0a70cbc4e7c60c69963413f9e00d54fabd730eb5f4182d7a070fbb537094d3b6c4970ef45afab755d517d68d30389d03c3b064def9c4cb2b0f6914157ca7

Download Submit
memory/2272-1-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2272-2-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2272-6-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2272-5-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2272-7-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2272-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-21-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-25-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-11-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-13-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-15-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-17-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-18-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-19-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-20-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-9-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-22-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-23-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-24-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-10-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-26-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-27-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-28-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-29-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-30-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-31-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-32-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-33-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-34-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-35-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-36-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-37-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2900-38-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download