Overview

overview

10

Static

static

10

JaffaCakes...f8.pdf

windows7-x64

10

JaffaCakes...f8.pdf

windows10-2004-x64

3

cs_sb.exe

windows7-x64

10

cs_sb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_da5c5e3b9cbccb6467f171e3cd5241fa5a42ce54d9b874c2b510cd9a8ddf4ff8.pdf

  • Size

    932KB

  • MD5

    3dae7a05120042b75fb4f20925a14489

  • SHA1

    527e8b08d3c49c0c4d6fce4e1f4a55755fcb5c7d

  • SHA256

    da5c5e3b9cbccb6467f171e3cd5241fa5a42ce54d9b874c2b510cd9a8ddf4ff8

  • SHA512

    328bc5bcc861bf42cce9737b9921877b9476a40dabbe75bff55d928ccc2d3c02e4fb78e0eebd78f9155058aff870ce608724aac9e6fbd8cd5f35b0ec6b20b9d8

  • SSDEEP

    24576:t/5xFNDwdEpg0Z6NWUzrjheEZjAowHKaEdx6KTH:5zFND8r0oNWUzrjhmEdxJH

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

35.186.238.101:443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da5c5e3b9cbccb6467f171e3cd5241fa5a42ce54d9b874c2b510cd9a8ddf4ff8.pdf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\cs_sb.pdf" (cd "Desktop"))&(if exist "My Documents\cs_sb.pdf" (cd "My Documents"))&(if exist "Documents\cs_sb.pdf" (cd "Documents"))&(if exist "Escritorio\cs_sb.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\cs_sb.pdf" (cd "Mis Documentos"))&(start cs_sb.pdf) Could not open PDF: Something's wrong
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2540
      • \??\c:\Users\Admin\Documents\cs_sb.pdf
        cs_sb.pdf
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    0499402f91fee7073506cc982c5a48a2

    SHA1

    b9b9edae24bf8faccf4798626311c34300ad06f2

    SHA256

    94101fed5e66133ccfc1cad0b1118a68cfe2774d75b86d2636c658e5091e6ae5

    SHA512

    c0b10069bc6fc3114fd191308a8017cfbe1a1c4587298ed7da2c6933b00fb75973b8b59c9531b244ca13bc565195afb7bbf033efda2ea69dad304c9e4647692a

    Download Submit

  • \??\c:\Users\Admin\Documents\cs_sb.pdf
    Filesize

    72KB

    MD5

    46b94b29185816ba5b3512e26762b674

    SHA1

    e23e55f2a9d26fda658c5150cbe63a062a1617cf

    SHA256

    b7c860a8cd22c7a1a402edc7442356ab42bd27b57707d38f861feee2b193f28a

    SHA512

    98d6e1b2be706e53aa8af3171b0ce7cd838e722999c40ed4112a3c79c7d5f0eb327b593e0cc51e7d923029e05a9e4834d358aedb6dd12fdda10da099bc307f41

    Download Submit