Overview

overview

10

Static

static

10

feb88dc5b2...18.exe

windows7-x64

10

feb88dc5b2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe

  • Size

    107KB

  • MD5

    feb88dc5b2bd9fa79aa8ce51a2077e8e

  • SHA1

    b1382abc4efeecba978b39af05728ec2357e5deb

  • SHA256

    e3bd5002521558fd23676379b46b6e0526befd56474c2b989d74e6ac150e0784

  • SHA512

    f62d1629d3e12675bbb3c47e22d4a22a67c73230679ae7ad8b2ddcf51bc6d3fa7375d7999dd279ab4053d2b074a263f02327afba7360cca220d7ce3830aea448

  • SSDEEP

    3072:zZ5iA33ue5BYdpCfaymPI7o7GJGPVu76Zj9Knv88X0m:zZgA33uiB6pz6aQUO6Zov88X/

Score
10/10
metasploitbackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies security service 2 TTPs 20 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2752
    • C:\Windows\SysWOW64\mswin.exe
      C:\Windows\system32\mswin.exe 472 "C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1432
      • C:\Windows\SysWOW64\mswin.exe
        C:\Windows\system32\mswin.exe 524 "C:\Windows\SysWOW64\mswin.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:688
        • C:\Windows\SysWOW64\mswin.exe
          C:\Windows\system32\mswin.exe 532 "C:\Windows\SysWOW64\mswin.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:3012
          • C:\Windows\SysWOW64\mswin.exe
            C:\Windows\system32\mswin.exe 536 "C:\Windows\SysWOW64\mswin.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2680
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:2572
            • C:\Windows\SysWOW64\mswin.exe
              C:\Windows\system32\mswin.exe 528 "C:\Windows\SysWOW64\mswin.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1960
              • C:\Windows\SysWOW64\mswin.exe
                C:\Windows\system32\mswin.exe 540 "C:\Windows\SysWOW64\mswin.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                PID:292
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2380
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • System Location Discovery: System Language Discovery
                    • Runs .reg file with regedit
                    PID:2024
                • C:\Windows\SysWOW64\mswin.exe
                  C:\Windows\system32\mswin.exe 544 "C:\Windows\SysWOW64\mswin.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  PID:2808
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1156
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • System Location Discovery: System Language Discovery
                      • Runs .reg file with regedit
                      PID:376
                  • C:\Windows\SysWOW64\mswin.exe
                    C:\Windows\system32\mswin.exe 548 "C:\Windows\SysWOW64\mswin.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:1416
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1080
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        11⤵
                        • Modifies security service
                        • System Location Discovery: System Language Discovery
                        • Runs .reg file with regedit
                        PID:2784
                    • C:\Windows\SysWOW64\mswin.exe
                      C:\Windows\system32\mswin.exe 552 "C:\Windows\SysWOW64\mswin.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:2792
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c c:\a.bat
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2796
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          12⤵
                          • Modifies security service
                          • System Location Discovery: System Language Discovery
                          • Runs .reg file with regedit
                          PID:1896
                      • C:\Windows\SysWOW64\mswin.exe
                        C:\Windows\system32\mswin.exe 556 "C:\Windows\SysWOW64\mswin.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        PID:2056
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:820
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            13⤵
                            • Modifies security service
                            • System Location Discovery: System Language Discovery
                            • Runs .reg file with regedit
                            PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    9e5db93bd3302c217b15561d8f1e299d

    SHA1

    95a5579b336d16213909beda75589fd0a2091f30

    SHA256

    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

    SHA512

    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    206B

    MD5

    2d9f1ff716273d19e3f0d10a3cd8736f

    SHA1

    b4ca02834dd3f3489c5088d2157279d2be90f5ff

    SHA256

    9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

    SHA512

    1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    476B

    MD5

    a5d4cddfecf34e5391a7a3df62312327

    SHA1

    04a3c708bab0c15b6746cf9dbf41a71c917a98b9

    SHA256

    8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

    SHA512

    48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    3KB

    MD5

    5e073629d751540b3512a229a7c56baf

    SHA1

    8d384f06bf3fe00d178514990ae39fc54d4e3941

    SHA256

    2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

    SHA512

    84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    8c6aa92ac8ffdfb7a0fb3dafd14d65f1

    SHA1

    cac3992d696a99a5dec2ab1c824c816117414b16

    SHA256

    dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

    SHA512

    f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    908860a865f8ed2e14085e35256578dd

    SHA1

    7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

    SHA256

    d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

    SHA512

    a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    895301bce84d6fe707b5cfd50f1f9f97

    SHA1

    50a012f59655621768f624c4571654145663c042

    SHA256

    b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

    SHA512

    a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    2KB

    MD5

    b79d7c7385eb2936ecd5681762227a9b

    SHA1

    c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

    SHA256

    fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

    SHA512

    7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    298B

    MD5

    4117e5a9c995bab9cd3bce3fc2b99a46

    SHA1

    80144ccbad81c2efb1df64e13d3d5f59ca4486da

    SHA256

    37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

    SHA512

    bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    110B

    MD5

    b6b8b04c60361e2df1d3e29fc4fc3138

    SHA1

    bd732238f8d5894ca6020081adef617dabadf94e

    SHA256

    f255a5447d3a3eda8715938993357971faeabf92eecf172e2fc0dfbdaa239c1b

    SHA512

    16e7247fdc0c1191229ea44b4f6584dce588255e775642c343cffb2030c05bd77f4eb716d87d21defb0fe7edcc62a7a2e12ecbebbd72bc9a5247934fdd02fe40

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.reg
    Filesize

    1KB

    MD5

    e2d37af73d5fe4a504db3f8c0d560e3d

    SHA1

    88c6bf5b485dd9c79283ccb5d2546ffbb95e563d

    SHA256

    e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008

    SHA512

    8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

    Download Submit

  • C:\a.bat
    Filesize

    5KB

    MD5

    0019a0451cc6b9659762c3e274bc04fb

    SHA1

    5259e256cc0908f2846e532161b989f1295f479b

    SHA256

    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

    SHA512

    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

    Download Submit

  • \Windows\SysWOW64\mswin.exe
    Filesize

    107KB

    MD5

    feb88dc5b2bd9fa79aa8ce51a2077e8e

    SHA1

    b1382abc4efeecba978b39af05728ec2357e5deb

    SHA256

    e3bd5002521558fd23676379b46b6e0526befd56474c2b989d74e6ac150e0784

    SHA512

    f62d1629d3e12675bbb3c47e22d4a22a67c73230679ae7ad8b2ddcf51bc6d3fa7375d7999dd279ab4053d2b074a263f02327afba7360cca220d7ce3830aea448

    Download Submit

  • memory/292-738-0x0000000000730000-0x00000000007C3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/292-735-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1260-252-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1416-976-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1976-129-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1976-124-0x0000000002470000-0x0000000002503000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1976-0-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2056-1217-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2168-615-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2488-130-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2488-134-0x00000000024B0000-0x0000000002543000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2488-133-0x00000000024B0000-0x0000000002543000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2612-372-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2612-376-0x0000000002E40000-0x0000000002ED3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2612-374-0x0000000002E40000-0x0000000002ED3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2792-986-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2792-1097-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2808-856-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2980-498-0x00000000007A0000-0x0000000000833000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2980-494-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download